Memory saving packet modification

UE sending combined active cell set signal quality measurements to the network if they are equal to or better than the inter-RAT or inter-frequency signal qua

A method is disclosed that comprises obtaining a new value for a dynamic signal quality threshold based on a base signal quality threshold and a UE context-sensitive buffer margin (202) and using this as a handover triggering threshold; if a measured signal quality on the currently active cell falls below the current trigging threshold (206): obtaining a combined quality of all cells within an active cell set (Co-ordinated Multipoint, CoMP) (208) and an inter-frequency signal quality or an inter-radio access technology (RAT) signal quality from an inter-frequency or inter-RAT cell within range of the wireless device; and blocking or not sending an inter-RAT measurement report to a wireless network element if the obtained combined signal quality is equal to or better than the obtained inter-frequency or inter-RAT signal quality, wherein the measurement report is either an inter-frequency measurement report or an inter-radio access technology (RAT) measurement report (210).

Entropy and value based packet truncation

Entropy and value based packet truncation

Network packets may be captured by a network recorder or probe and stored in a storage device to create a history of packets. There is a need to store the captured data efficiently to preserve storage space. The invention analyses the captured packets to determine if they can be reduced in size before storing. Packets in a computer network are received via an input port and the header fields and starting point of the payload are identified. The entropy of the payload is estimated and compared to a threshold. A signal (e.g. entropy exceed signal) is generated indicating if a payload may be truncated or compressed. The value of a packet may be determined based on the header, and all or some of the data stored in the storage device based on its value and estimated entropy. The user may specify policies or rules for compressing or truncating the packets. The recorded packets may be used for incident investigation (e.g. hacking) or performance evaluation. By being economical with storage one ...

SYSTEM AND PROCEDURE FOR THE PROCESSING OF OPERATIONAL DATA, WHICH ARE ASSOCIATED WITH OF A TRANSMISSION IN A DATENKOMMUNIKATIONSSYTEM

Method for reliable transportation of alarm messages in a distributed computing system

Die Erfindung betrifft ein Verfahren zum zuverlässigen Transport von Alarmnachrichten in einem verteilten Computersystem, welches Computersystem Komponenten, insbesondere eine Vielzahl von Komponenten, umfasst, wobei es sich bei den Komponenten um Knotenrechner, Verteilereinheiten, Sensoren, vorzugsweise intelligente Sensoren und Aktuatoren, vorzugsweise intelligente Aktuatoren handelt, und wobei alle Komponenten Zugriff auf eine globale Zeit bekannter Präzision haben, und wobei die Knotenrechner, intelligenten Sensoren und intelligenten Aktuatoren über die Verteilereinheiten Nachrichten austauschen. Es ist vorgesehen, dass das Computersystem intelligente Alarmsensoren umfasst oder intelligente Alarmsensoren dem Computersystem zugeordnet sind, und wobei ein intelligenter Alarmsensor zwei Typen von zeitgesteuerten Nachrichten aussendet, Alarmnachrichten mit einer a priori vorgegebenen Alarmtransportperiode, und Fehlererkennungsnachrichten mit einer a priori vorgegebenen Fehlererkennungsperiode ...

Method for detecting abnormal conditions in a computer network

Die Erfindung betrifft ein Verfahren zur Detektion von anomalen Zuständen, insbesondere verursacht durch Manipulation, in einem Computernetzwerk (1), welches mehrere Computer (1a, 1b, 1c) umfasst, -wobei Computer (1a, 1b, 1c) bei Auftreten vorgegebener Ereignisse einen Protokolldatensatz (3a, 3b, 3c) erstellen, -wobei die Protokollzeilen (3a, 3b, 3c) aus den einzelnen Protokolldateien (4a, 4b, 4c) homogenisiert werden und in eine zentrale Protokolldatei (4) geschrieben werden, -wobei eine recodierte Protokolldatei (5) der zentralen Protokolldatei (4) erstellt wird, indem zeilenweise aufeinander folgende Zeichen oder Zeichenketten der zentralen Protokolldatei (4) aufgrund einer Codierungsvorschrift (f) in eine recodierte Protokolldatei (5) übergeführt werden, -wobei die einzelnen Zeilen (5a, 5b, 5c) der recodierten Protokolldatei (5) hinsichtlich ihrer Ähnlichkeit analysiert und zu Gruppen (6a, 6b, 6c) zusammengefasst werden, und -wobei nach Gruppen (6a, 6b, 6c) mit einer geringen Anzahl ...

Collecting and analyzing selected network traffic

A tracking system is described herein for investigating the behavior of a network. In operation, each switch in the network (or each switch in some subset of switches) may determine whether each original packet that it processes satisfies one or more packet-detection rules. If so, the switch generates a mirrored packet and sends that packet to a load balancer multiplexer, which, in turn, forwards the mirrored packet to a processing module for further analysis. The packet-detection rules hosted by the switches can be designed to select a subset of packets that are of greatest interest, based on any environment-specific objectives. As a result of this behavior, the tracking system can effectively and quickly pinpoint undesirable (and potentially desirable) behavior of the network, without being overwhelmed with too much information.

CLOUD COMPUTING ENVIRONMENT SYSTEM FOR AUTOMATICALLY DETERMINING OVER-THE-TOP APPLICATIONS AND SERVICES

A cloud computing system for determining Over-The-Top (OTT) applications includes a cloud computing environment partitioned into a plurality of partitions. The cloud partitions include at least a first wireless network operator's cloud, a second wireless network operator's cloud and a shared partition configured to receive and store information uniquely identifying OTT applications supported by at least one of the first and second wireless network operators. The system further includes a plurality of active agents. Each active agent receives a list of OTT service platforms supported by a corresponding wireless network operator. The received list includes a plurality of URLs associated with various applications that are delivered by the OTT service platforms. The active agent(s) connect to the plurality of URLs to determine information uniquely identifying each of the OTT applications and to store the information in the shared partition of the cloud computing environment.

COLLECTING AND ANALYZING SELECTED NETWORK TRAFFIC

A tracking system is described herein for investigating the behavior of a network. In operation, each switch in the network (or each switch in some subset of switches) may determine whether each original packet that it processes satisfies one or more packet-detection rules. If so, the switch generates a mirrored packet and sends that packet to a load balancer multiplexer, which, in turn, forwards the mirrored packet to a processing module for further analysis. The packet-detection rules hosted by the switches can be designed to select a subset of packets that are of greatest interest, based on any environment-specific objectives. As a result of this behavior, the tracking system can effectively and quickly pinpoint undesirable (and potentially desirable) behavior of the network, without being overwhelmed with too much information.

A method and system for realizing the network performance measurement

The invention discloses a network performance measurement method to solve the problem of available technologies that the same measured stream of measurement point at both sides of switching equipment can't be identified due to the network address mapping and give the adverse influences to the network performance measurement; this method may position the network address switching device on the transmission path between the first measurement point and the second measurement point according to the measurement request, and regard it as the intermediate measurement point; issue the network performance measurement configuration to the first measurement point, intermediate measurement point and the second measurement point; fulfill the network performance measurement respectively between the first measurement point and the intermediate measurement point, and between the intermediate measurement point and the second measurement point, and integrate both measurement sections to obtain the complete ...

Equipment management method, equipment and equipment management controller

TIME EFFICIENT COUNTERS AND METERS ARCHITECTURE

A network device includes a plurality of interfaces configured to receive, from a network, packets to be processed by the network device. A load determination circuit of the network device is configured to determine whether a packet traffic load of the network device is above a traffic load threshold, and a dual-mode counter module is configured to (i) determine a count of quanta associated with the received packets using a first counting mode in response to the load determination unit determining that the packet traffic load is above the traffic load threshold, and (ii) determine a count of quanta associated with the received packets using a second counting mode, different than the first counting mode, in response to the load determination unit determining that the packet traffic load is not above the traffic load threshold.

A METHOD OF, AND APPARATUS FOR, ANALYSING NETWORK COMMUNICATIONS DATA

Units of data are obtained from a communications network. Each unit of data comprises a plurality of attributes and is associated with a respective timestamp. For analysing the network communications data, a time interval is specified, and for that time interval a signature is generated by a signature generator 120 from each unit of network communications data whose timestamp is in that time interval. The number of occurrences of each distinct signature in that time interval is counted, and a resulting table of counts corresponding to each signature is stored in a record store 40. The table of counts represents a time series of domain name system (DNS) queries in a network.

DYNAMICALLY ADJUSTING A SET OF MONITORED NETWORK PROPERTIES USING DISTRIBUTED LEARNING MACHINE FEEDBACK

In one embodiment, techniques are shown and described relating to dynamically adjusting a set of monitored network properties using distributed learning machine feedback. In particular, in one embodiment, a learning machine (or distributed learning machines) determines a plurality of monitored network properties in a computer network. From this, a subset of relevant network properties of the plurality of network properties may be determined, such that a corresponding subset of irrelevant network properties based on the subset of relevant network properties may also be determined. Accordingly, the computer network may be informed of the irrelevant network properties to reduce a rate of monitoring the irrelevant network properties.

Server-based network performance metrics generation system and method

A method and system of generating performance metrics for network traffic being transferred in and out of an intranet. Network traffic is non-intrusively measured from a server to client perspective within periodic measurement time intervals. The network traffic is analyzed based on each connection made from a server to a client and the measurement time interval. Using the network traffic analyzed, performance metrics are generated. Accumulated performance metrics are also generated when a connection extends beyond a measurement time interval.

User defined applications executed on optical modules for performance monitoring in optical networks

An optical module adapted to operate in an optical network to perform an optical function therein includes optical components adapted to perform one or more functions associated with the optical module; processing circuitry communicatively coupled to the optical components and adapted to obtain data generated during operation of the one or more functions; and compute resources communicatively coupled to the processing circuitry and adapted to receive an application for local execution on the compute resources in a sandboxed manner, and analyze, by the application, the data to perform one or more functions.

Apparatus and methods for removing a large-signal voltage offset from a biomedical signal

Apparatus and methods remove a voltage offset from an electrical signal, specifically a biomedical signal. A signal is received at a first operational amplifier and is amplified by a gain. An amplitude of the signal is monitored, by a first pair of diode stages coupled to an output of the first operational amplifier, for the voltage offset. The amplitude of the signal is then attenuated by the first pair of diode stages and a plurality of timing banks. The attenuating includes limiting charging, by the first pair of diode stages, of the plurality of timing banks and setting a time constant based on the charging. The attenuating removes the voltage offset persisting at a threshold for a duration of at least the time constant. Saturation of the signal is limited to a saturation recovery time while the saturated signal is gradually pulled into monitoring range over the saturation recovery time.

System and method of determining malicious processes

Systems, methods, and computer-readable media for managing compromised sensors in multi-tiered virtualized environments. A method includes determining a lineage for a process within the network and then evaluating, through knowledge of the lineage, the source of the command that initiated the process. The method includes capturing data from a plurality of capture agents at different layers of a network, each capture agent of the plurality of capture agents configured to observe network activity at a particular location in the network, developing, based on the data, a lineage for a process associated with the network activity and, based on the lineage, identifying an anomaly within the network.

Policy utilization analysis

An example method according to some embodiments includes receiving flow data for a packet traversing a network. The method continues by determining a source endpoint group and a destination endpoint group for the packet. The method continues by determining that a policy was utilized, the policy being applicable to the endpoint group. Finally, the method includes updating utilization data for the policy based on the flow data.

METHOD FOR CONTROLLING MEASUREMENTS IN A WIRELESS TELECOMMUNICATIONS TERMINAL

A method is provided for controlling measurements in a wireless telecommunications terminal. In a Long Term Evolution (LTE) wireless communication system, the network instructs a UE to measure the received power and quality of the reference signals of the serving cell as well as of neighbor cells. The object of improving the system power consumption of user equipment (UE) that has to perform such measurements is solved by distributing the measurement functionality between RRC and PHY layers such that the RRC layer is enabled to rest in a power save mode unless results of the measurements have to be reported to the network, and to be only active for a minimum to ensure that the UE still behaves standard compliant to the network.

DATA HANDLER

MANAGEMENT DEVICE AND APPARATUS INFORMATION TRANSMITTING DEVICE

Система обнаружения атак с адаптивным распределением вычислительных ресурсов

Изобретение относится к вычислительной технике. Технический результат заключается в снижении вероятности пропуска цели системой обнаружения атак при увеличении скорости защищенного информационного потока корпоративных сетей. Технический результат обеспечивается за счет включения в состав системы обнаружения атак устройства оценки и управления балансировки используемых вычислительных ресурсов, состоящего из первого и второго блоков сравнения, базы данных, устройства ввода данных, соединенного с маршрутизатором, серверами услуг связи и планировщиком задач процессора системы обнаружения атак. 2 ил.

Verfahren und Vorrichtung zur Protokollierung von Kommunikationsverbindungen bei sehr hohen Datenraten

Die Vorrichtung zeichnet die Daten mehrerer Stufen einer Protokollhierarchie in einem Kommunikationssystem auf. Hierzu werden die Daten von einem Empfänger empfangen und von einem Speicher gespeichert. Die Daten bestehen aus Nutzdaten (60) und Steuer-Informationen (61, 62, 63). Die Steuer-Informationen (61, 62, 63) sind den einzelnen Protokollhierarchieebenen zugeordnet. Dabei werden die Steuer-Informationen (61, 62, 63) sämtlicher Protokollhierarchieebenen empfangen und gespeichert. Weiterhin wird höchstens eine Kopie der Nutzdaten (60) gespeichert.

Reducing size of diagnostic data downloads

Method and system are provided for reducing size of diagnostic data downloads. The method includes: reading at least one of a format and a content of one or more diagnostic data files 111; applying pre-defined priority rules 113 to at least one of files and subsets 112 of files using at least one of the format and the content of the files; assigning a priority level to a file or a subset of a file based on the ability of the file or the subset of the file to diagnose a failure as determined by the priority rules; ordering 114 at least one of the files and the subsets of the files into a file stream 115; streaming the file stream to a remote diagnostic system 120; and receiving a notification from the remote diagnostic system to stop the streaming if sufficient diagnostic data to diagnose the failure has been received by the remote diagnostic system.

Memory saving packet modification

Reducing size of diagnostic data downloads

Computer network management tools

Network node fault diagnosis using trace triggers

Performance monitoring and fault diagnosis on a network of nodes (105, 106, 107, fig. 1) is carried out by including integer-value trace triggers in message headers, such that a higher trigger value initiates a higher level (deeper) trace function when the message is received and inspected by a node comprising trace management, message routing and message monitoring modules (fig. 2). Trace data is stored in database 109. The trace function may be activated for a period that is predetermined or determined by the trigger value, and a node may set a trigger in messages from predetermined sources even when no trigger is detected. Focusing the trace in this way reduces the computational cost of initiating a global trace which generates large volumes of trace data.

Method of pinning domain walls in a nanowire magnetic memory device

Analytics performance enhancements

A method and apparatus for processing metric information is disclosed in one embodiment. Metric information is gathered from a number of end users. At least some of the reference types are converted to value types and stored in non-mechanical memory. The value types are manipulated to summarize the metric information. The value types are processed using the stack instead of the heap.

BENCHMARK DEVICE FOR COMPARISON EVALUATION OF AN INTERNET APPLICATION TRAFFIC CLASSIFICATION METHOD, CAPABLE OF INCREASING DATA PROCESSING EFFICIENCY

PURPOSE: A benchmark device for comparison evaluation of an internet application traffic classification method is provided to supply an accurate network traffic analyzing result. CONSTITUTION: A user interface(1) inputs internet application traffic trace data of a user. The user interface provides operation data operated from performance evaluation and classification results of an internet application traffic classification method. A pre/post-processor(3) converts the input data into a form suitable for each classification plug-in. The pre/post-processor compares and evaluates the performance about each plug-in. A classifier(5) manages/executes plug-in. COPYRIGHT KIPO 2010 ...

Method and system for determining overall content values for content elements in a web network and for optimizing internet traffic flow through the web network

A method for optimizing traffic flow through a web network including collecting data corresponding to the content elements, determining a revenue value for each content element, calculating an overall content value for each content element based on the corresponding revenue value and revenue generated from subsequent flow of a user during a visit to the network, and modifying the network based on the overall content value and the content data, so as to maximize the value of the network. Also disclosed is a system for determining overall content values for a plurality of content elements including an analytic server for receiving content data corresponding to the content elements, and a processor determining a revenue value for each element and calculating an overall content value for each content element based on the corresponding revenue value and revenue generated from subsequent traffic flow of a user during a visit to the network.

Network testing systems

A method of testing a digital mobile phone network such as a GPRS or 3G network comprises creating test traffic using an unmodified test mobile phone coupled to a computer, and using the computer to measure a parameter associated with the network's response to the test traffic. The measurements made by the computer are encoded into the test traffic to create a data stream within the mobile phone network comprising test traffic, measurements relating to the test traffic, and signalling relating to the test traffic, whereby this data stream can be captured at points within the network and analysed to investigate the functioning of the network dynamically as the network is exercised with the test traffic. Software and test equipment for performing the method are also described.

Method and system for reporting the status of an aggregate resource residing in a network of interconnected real resources

In a network composed of communicating resources, the status of an aggregate resource may be determined by calculations based upon the status assumed by the real resources contained within the aggregate rather than being determined directly. The status of real resources may be propagated to still higher aggregate resources whose own status is based upon the status of the real resources contained within it. An aggregate resource may have multiple potential statuses and a decision as to which status to report for an aggregate resource at a given time is calculated based upon the status of the underlying real resources which it contains. Each real resource has associated with it another parameter which is its aggregation priority value indicating to what degree a change in its status will affect higher level nodes or aggregates in a network hierarchy. In assigning a new aggregate status to a given aggregate resource, the calculation for aggregate status determines the status of the real underlying ...

Continuous autonomous monitoring of systems along a path

In an embodiment, a method comprises initiating a monitoring session for a communication path including creating and storing monitoring session state data; sending, to a first responder computer of the communication path, a first request to initiate a first state servlet that is configured to monitor continuously during the monitoring session one or more characteristics of one or more processes that the first responder computer may perform; sending, to the first responder computer, monitoring instructions to monitor the one or more characteristics of the one or more processes; while the monitoring session is active and the first responder computer is in the communication path, receiving and collecting monitored information from the first responder computer; in response to determining that the first responder computer is not in the communication path or that the monitoring session has become inactive, automatically and autonomously ending the monitoring session.

METHODS AND APPARATUS TO CREATE AND TRANSMIT A CONDENSED LOGGING DATA FILE

A method for producing log data for a programming receiver is provided. The method executes a set of instructions comprising at least a log statement, the log statement causing the programming receiver to access condensed source code; compresses one or more string arguments in the log statement, during execution of the set of instructions; and generates a log file, based on the executed set of instructions and the compressed one or more string arguments.

APPLICATION MONITORING PRIORITIZATION

An approach for establishing a priority ranking for endpoints in a network. This can be useful when triaging endpoints after an endpoint becomes compromised. Ensuring that the most critical and vulnerable endpoints are triaged first can help maintain network stability and mitigate damage to endpoints in the network after an endpoint is compromised. The present technology involves determining a criticality ranking and a secondary value for a first endpoint in a datacenter. The criticality ranking and secondary value can be combined to form priority ranking for the first endpoint which can then be compared to a priority ranking for a second endpoint to determine if the first endpoint or the second endpoint should be triaged first.

Methods for monitoring quantities of computer devices, associated computer program and device

A method for monitoring a quantity of a computer device, including measuring values adopted by the quantity over time, determining a measured value, or extremum value, meeting at least one transmission criterion, in which the extremum value is a local extremum, and transmitting the extremum value.

SYSTEM AND METHOD OF DETECTING WHETHER A SOURCE OF A PACKET FLOW TRANSMITS PACKETS WHICH BYPASS AN OPERATING SYSTEM STACK

A method includes capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data, capturing second data associated with a second packet flow originating from the first host from a second capture agent deployed on a second host to yield second flow data and comparing the first flow data and the second flow data to yield a difference. When the difference is above a threshold value, the method includes determining that the second packet flow was transmitted by a component that bypassed an operating stack of the first host or a packet capture agent at the device to yield a determination, detecting that hidden network traffic exists, and predicting a malware issue with the first host based on the determination.

Streaming Network Monitoring Caching Infrastructure

Systems and methods of network telemetry caching and distribution are provided. The system can receive network telemetry data and store it as a plurality of data nodes. The system can maintain a node pointer map and a node pointer queue. If the system receives an update to a data node having a corresponding node pointer not already present in the node pointer map, the system can add the node pointer to the node pointer queue and to the node pointer map with a count of zero. If the node pointer is already present in the node pointer map, the system can increment the node count for the node pointer in the node pointer map and not add the node pointer to the node pointer queue. The system can transmit data values and node counts to the client device for each node pointer in the node pointer queue.

СБОР И АНАЛИЗ ВЫБРАННОГО СЕТЕВОГО ТРАФИКА

Network testing systems

Detecting overflows when counting the size or number of input data

A signal processor counts the number of input data packets and or the total size of the input data packets. The count is stored in a first memory location. When the value of the count exceeds the maximum value which can be stored in the memory location, a flag is set in a second memory location. The first memory location may then store the difference between the correct count value and the maximum value which may be stored in the location. The processor may maintain several counts for different types of packet. The types of packet may be identified by a field in the packet. The signal processor may be part of a network interface card and the counts may be statistical information about the packets being transmitted on the network.

Processing local area network diagnostic data

Memory saving packet modification

A computer-implemented method includes creating a master copy of a header for all packets of a data transmission event, the master copy including a plurality of intact constant header information, the plurality of intact constant header information being constant for all packets of the data transmission event, storing unique header information for all packets of the data transmission event, the unique header information including information unique to at least one packet of the data transmission event, tokenizing identities of each packet of the data transmission event to create a tokenized packet ID for each packet, and indexing the stored unique header information based on the tokenizing. According to the method, at packet read- time, unique header information associated with the packet is overlayed onto the master copy to create a unique packet.

Method of pinning domain walls in a nanowire magnetic memory device

A method of pinning domain walls in a magnetic memory device (10), comprising the use of an antiferromagnetic material in conjunction with a ferromagnetic material to create domain wall pinning sites. Junctions (22) where arrays of ferromagnetic nanowires (16) and antiferromagnetic nanowires (20) cross exhibit a permanent exchange bias interaction between the ferromagnetic material and the antiferromagnetic material which creates domain wall pinning sites. The exchange bias field Hex is between 30 to 3600 Oersteds (Oe) and the anisotropy direction of the ferromagnetic elements is between 15 to 75° to an anisotropy direction of the antiferromagnetic elements. The magnetic memory may operate as a magnetic shift register.

Signal processor, tranmission apparatus and method for processing signal

Method for detecting abnormal conditions in a computer network

Die Erfindung betrifft ein Verfahren zur Detektion von anomalen Zuständen, insbesondere verursacht durch Manipulation, in einem Computernetzwerk (1), welches mehrere Computer (1a, 1b, 1c) umfasst, -wobei Computer (1a, 1b, 1c) bei Auftreten vorgegebener Ereignisse einen Protokolldatensatz (3a, 3b, 3c) erstellen, -wobei die Protokollzeilen (3a, 3b, 3c) aus den einzelnen Protokolldateien (4a, 4b, 4c) homogenisiert werden und in eine zentrale Protokolldatei (4) geschrieben werden, -wobei eine recodierte Protokolldatei (5) der zentralen Protokolldatei (4) erstellt wird, indem zeilenweise aufeinander folgende Zeichen oder Zeichenketten der zentralen Protokolldatei (4) aufgrund einer Codierungsvorschrift (f) in eine recodierte Protokolldatei (5) übergeführt werden, -wobei die einzelnen Zeilen (5a, 5b, 5c) der recodierten Protokolldatei (5) hinsichtlich ihrer Ähnlichkeit analysiert und zu Gruppen (6a, 6b, 6c) zusammengefasst werden, und -wobei nach Gruppen (6a, 6b, 6c) mit einer geringen Anzahl ...

SUPPLEMENTING NETWORK FLOW ANALYSIS WITH ENDPOINT INFORMATION

Techniques are disclosed for supplementing network flow analysis with data collected from endpoint computer systems in a network. An endpoint analysis agent may run on endpoints to collect information relating to computing activity internal to the endpoint, including system configuration information, event information, and network, user, process, and file activity. This information may be reported to a network flow analyzer using an extensible flow data record format. The flow analyzer may then correlate this information with network flow data records received from flow collectors in the network to perform a security analysis. In various embodiments, the endpoint analysis agent may cache the collected information when the endpoint is offline. The agent may also perform data reduction operations (such as compression) on the collected information before reporting; data may be further reduced by reporting data only during specified time periods. An analysis agent may also be deployed in a ...

Heuristic network traffic classification using byte-distributions

A network device has counters that are configured to generate for a plurality of byte positions in a specified portion of data packets, a count indicative of a correspondence of a value found at the byte position corresponding to a rule such that occurrences of predetermined byte values in the plurality of byte positions may be counted. A packet classifier is configured to receive from the counters a number of byte values corresponding to the rules and to classify data packets based on the analysis.

TARGETED USER NOTIFICATION OF MESSAGES IN A MONITORING SYSTEM

A system and method of targeting message notifications in a monitoring system is provided including a notification module (103) having a time set module (105) for time- stamping a first message for indicating when a user was notified of the first message and setting an aging interval for the user-notified first message. A monitoring module (107) is provided for determining if a same message is received and for sending the user another notification of the same message if the aging interval of the user-notified first message has expired.

Memory saving packet modification

A computer-implemented method that includes creating a master copy of a header for all packets of a data transmission event, the master copy including a plurality of intact constant header information, the plurality of intact constant header information being constant for all packets of the data transmission event, storing unique header information for all packets of the data transmission event, the unique header information including information unique to at least one packet of the data transmission event, tokenizing identities of each packet of the data transmission event to create a tokenized packet ID for each packet, and indexing the stored unique header information based on the tokenizing. According to the method, at packet read-time, unique header information associated with the packet is overlayed onto the master copy to create a unique packet.

MULTI-TIER MESSAGE CORRELATION

A system and method determines correlations within multi-tier communications based on repeated iterations/episodes of executions of a target application. Content-based correlations are determined by encoding the content using a finite alphabet, then searching for similar sequences among the multiple traces. By encoding the content to a finite alphabet, common pattern matching techniques may be used, including, for example, DNA alignment algorithms. To facilitate alignment of the traces, structural and/or semantic breakpoints are defined, and the encoding in each trace is synchronized to these breakpoints. To facilitate efficient processing, a hierarchy of causality among tier-pairs is identified, and messages at lower levels are ranked and temporally filtered, based on activity intervals at higher levels of the hierarchy.

SYSTEMS AND METHODS FOR NON-INTRUSIVE NETWORK PERFORMANCE MONITORING

A first network device may receive packets as part of a traffic flow of an internet protocol session, select a packet based on a rule, and add, to a packet replica of the selected packet, routing information capable of being used to generate performance indicators associated with the IP session. The first network device may modify a portion of the packet replica to include values that will cause the packet replica to fail to reach a destination device associated with the IP session, and provide the packet replica to other network devices to cause a second network device to perform a validation procedure to determine that the packet replica is unable to be validated based on the values, to generate the performance indicators using the packet replica or a group of packet replicas that have been modified, and to provide the performance indicators to a particular device.

SYSTEM AND METHOD OF ASSIGNING REPUTATION SCORES TO HOSTS

A method provides for receiving network traffic from a host having a host IP address and operating in a data center, and analyzing a malware tracker for IP addresses of hosts having been infected by a malware to yield an analysis. When the analysis indicates that the host IP address has been used to communicate with an external host infected by the malware to yield an indication, the method includes assigning a reputation score, based on the indication, to the host. The method can further include applying a conditional policy associated with using the host based on the reputation score. The reputation score can include a reduced reputation score from a previous reputation score for the host.

COMMUNICATION DEVICE, PACKET MONITORING METHOD, COMMUNICATION METHOD, AND COMPUTER PROGRAM

There is provided a communication device including a plurality of network interfaces connected to a group of network switches, a packet collection unit configured to collect packets transmitted from the plurality of network interfaces and packets received by the plurality of network interfaces, an overlapping resolving unit configured to resolve overlapping of packets that are received by the plurality of network interfaces, a packet recording unit configured to select and record packets to be recorded from packets that are collected by the packet collection unit as recorded information, and a recorded information communication unit configured to communicate the recorded information recorded by the packet recording unit with another device.

PERFORMACE MEASUREMENT BY A USER COMMUNICATION DEVICE

Entropy and value based packet truncation

Network packets may be captured by a network recorder or probe and stored in a storage device to create a history of packets. There is a need to store the captured data efficiently to preserve storage space. The invention analyses the captured packets to determine if they can be reduced in size before storing. Packets in a computer network are received via an input port and the header fields and starting point of the payload are identified. The entropy of the payload is estimated and compared to a threshold. A signal (e.g. entropy exceed signal) is generated indicating if a payload may be truncated or compressed. The value of a packet may be determined based on the header, and all or some of the data stored in the storage device based on its value and estimated entropy. The user may specify policies or rules for compressing or truncating the packets. The recorded packets may be used for incident investigation (e.g. hacking) or performance evaluation. By being economical with storage one ...

Entropy and value based packet truncation

Reducing size of diagnostic data downloads

Method for reliable transportation of alarm messages in a distributed computing system

Die Erfindung betrifft ein Verfahren zum zuverlässigen Transport von Alarmnachrichten in einem verteilten Computersystem, welches Computersystem Komponenten, insbesondere eine Vielzahl von Komponenten, umfasst, wobei es sich bei den Komponenten um Knotenrechner, Verteilereinheiten, Sensoren, vorzugsweise intelligente Sensoren und Aktuatoren, vorzugsweise intelligente Aktuatoren handelt, und wobei alle Komponenten Zugriff auf eine globale Zeit bekannter Präzision haben, und wobei die Knotenrechner, intelligenten Sensoren und intelligenten Aktuatoren über die Verteilereinheiten Nachrichten austauschen. Es ist vorgesehen, dass das Computersystem intelligente Alarmsensoren umfasst oder intelligente Alarmsensoren dem Computersystem zugeordnet sind, und wobei ein intelligenter Alarmsensor zwei Typen von zeitgesteuerten Nachrichten aussendet, Alarmnachrichten mit einer a priori vorgegebenen Alarmtransportperiode, und Fehlererkennungsnachrichten mit einer a priori vorgegebenen Fehlererkennungsperiode ...

Network packet capture distributed storage system

Network packet capture distributed storage system

METHOD AND APPARATUS FOR NETWORK PACKET CAPTURE DISTRIBUTED STORAGE SYSTEM

... ²²²This is invention comprises a method an apparatus for Infinite Network Packet ²Capture System (INPCS). The INPCS is a high performance data capture recorder ²capable of capturing and archiving all network traffic present on a single ²network or multiple networks. This device can be attached to Ethernet networks ²via copper or SX fiber via either a SPAN port (101) router configuration or ²via an optical splitter (102). By this method, multiple sources or network ²traffic including gigabit Ethernet switches (102) may provide parallelized ²data feeds to the capture appliance (104), effectively increasing collective ²data capture capacity. Multiple captured streams are merged into a ²consolidated time indexed capture stream to support asymmetrically routed ²network traffic as well as other merged streams for external consumption.² ...

SCALING OPERATIONS, ADMINISTRATION, AND MAINTENANCE SESSIONS IN PACKET NETWORKS

Operations, Administration, and Maintenance (OAM) scaling systems and methods are implemented by a network function performed by one of a physical network element and a virtual network element executed on one or more processors. The OAM scaling method includes providing N packet services, N is an integer; and, responsive to determined OAM session scaling limits, providing OAM sessions for the N packet services in an oversubscribed manner, wherein the determined OAM session scaling limits include M OAM sessions supported by the network function, M is an integer and less than N.

METHOD AND DEVICE FOR SPREADING DEEP PACKET INSPECTION RESULT

Embodiments of the present invention disclose a method for spreading a deep packet inspection result. Embodiments of the present invention further disclose an identification function network element and a spread network element. The method includes: receiving, by an identification function network element, a data packet in IP network traffic; identifying the data packet; if the identification succeeds, save a first identification result obtained through identification in a local flow table of the identification function network element, and insert the first identification result in an extension field of the header of the data packet; if the identification fails, insert a second identification result in the header extension field of the data packet, where the second identification result is an initialization identification result when the identification function network element creates the local flow table; when it is determined according to a service configuration that the data packet does ...

Monitoring of systems along a path

In an embodiment, a method comprises initiating a monitoring session for a communication path including creating and storing monitoring session state data; sending, to a first responder computer of the communication path, a first request to initiate a first state servlet that is configured to monitor continuously during the monitoring session one or more characteristics of one or more processes that the first responder computer may perform; sending, to the first responder computer, monitoring instructions to monitor the one or more characteristics of the one or more processes; while the monitoring session is active and the first responder computer is in the communication path, receiving and collecting monitored information from the first responder computer; in response to determining that the first responder computer is not in the communication path or that the monitoring session has become inactive, automatically and autonomously ending the monitoring session.

PROCEEDED OF MONITORING OF SIZES OF DEVICES DATA-PROCESSING, COMPUTER PROGRAM AND DEVICE ASSOCIATE

L'invention concerne un procédé de surveillance d'une grandeur d'un dispositif informatique, comportant : - mesurer (202) des valeurs prises par la grandeur au cours du temps, - déterminer (210) une valeur mesurée, appelée valeur d'extremum, satisfaisant à au moins un critère de transmission, le ou les critères de transmission satisfaits par la valeur d'extremum comportant : la valeur d'extremum est un extremum local, et - transmettre (218) la valeur d'extremum.

CHARGING METHOD FOR EACH SERVICE BASED ON HOST NAME OF DNS AND PACKET INSPECTION APPARATUS

COMMUNICATION DEVICE FOR GENERATING CONNECTIVITY CHECK MESSAGE AND METHOD THEREOF

Provided is a communication device which generates and transmits a representative connectivity check message in correspondence with a connectivity check message received from a plurality of leaf nodes. The communication device comprises: a processor; a receiving unit which can be at least temporarily realized by the processor and which receives a plurality of connectivity check messages from a plurality of nodes; a determination unit which determines a connection state of each of the plurality of nodes by using each of the plurality of connectivity check messages; and a transmission unit which transmits the representative connectivity check message to an adjacent node based on a result of the determination. COPYRIGHT KIPO 2016 (AA) Root node (BB) First intermediate node (CC) Second intermediate node (DD) First intermediate node (EE) First intermediate node (FF) First intermediate node (GG) First intermediate node (HH) First leaf node (II) Second leaf node (JJ) Third leaf node (KK) Fourth ...

METHOD, APPARATUS AND COMPUTER PROGRAM FOR MONITORING SOFTWARE DEFINED NETWORK

The present invention relates to a method, an apparatus, and a computer program for monitoring a software defined network. The method of the present invention comprises the steps of: receiving an interested information receiving request including interested object information and reception setting information from one or more clients; generating an interested information table using the interested information receiving request; determining whether to transmit the changed network information using the interested information table when any network information is changed; and transmitting the changed network information to an interest client which requests a reception of the changed network information when the changed network information is determined as an object to be transmitted. According to the present invention, a client can be provided with desired network information almost in real time even in case of using a visualized monitoring application program with high usability. In addition ...

Sistema para análise de uso de rede tendo sistema e método de distribuição de dados estatìsticas dinâmicos

Discovering and publishing device changes in a cloud environment

A method includes generating, by a processor, an index data structure including allocation of nodes that each represent a computing element of multiple computing elements. In response to determining a change in status of any of the nodes, the method propagates changes in status of any computing element between associated node levels of the index data structure using an application programming interface (API). An updated status of one or more of the nodes is provided based on the change in status.

Method and apparatus for communicating predicted future network requirements of a data center to a number of adaptive network interfaces

In one embodiment, machine-readable media has stored thereon sequences of instructions that, when executed by a number of machines, cause the machine(s) to monitor behavior of a data center; acquire network utilization data; correlate the network utilization data with the data center behavior; store results of the correlations as trend data; utilize the data center behavior and trend data to predict future network requirements of the data center; and communicate the predicted future network requirements to a number of adaptive network interfaces.

BEHAVIORAL BASED DEVICE CLUSTERING SYSTEM AND METHOD

One or more embodiments are directed behavioral based device clustering. A network traffic log of devices in the network is received. Features of devices are extracted from the network traffic log and aggregated into an aggregated feature matrix on a per device basis. By applying a topic modeling algorithm to the aggregated feature matrix, the devices are clustered into device groups according to behavior groups. A device is assigned to the device group to create an assignment.

DYNAMIC BANDWIDTH CONTROL SYSTEMS AND METHODS IN SOFTWARE DEFINED NETWORKING

A bandwidth control method implemented in a Software Defined Networking (SDN) network includes obtaining data for one or more services in the network, wherein each of the one or more services is controlled by an associated user-agent; determining future bandwidth requirements for the one or more services based on the data; determining service requests for at least one of the one or more services based on the future bandwidth requirements; and causing implementation of at least one of the service requests in order of priority. The process of prioritization uses a programmable network-wide logic and has the ability to consider information external to the network such as a user's Service Layer Agreement (SLA) and business priority. The entire bandwidth control method can repeat in cycles providing near real-time adjustments.

ANOMALY DETECTION THROUGH HEADER FIELD ENTROPY

An approach for detecting anomalous flows in a network using header field entropy. This can be useful in detecting anomalous or malicious traffic that may attempt to “hide” or inject itself into legitimate flows. A malicious endpoint might attempt to send a control message in underutilized header fields or might try to inject illegitimate data into a legitimate flow. These illegitimate flows will likely demonstrate header field entropy that is higher than legitimate flows. Detecting anomalous flows using header field entropy can help detect malicious endpoints.

ADAPTIVE EVENT MANAGEMENT FRAMEWORK FOR RESOURCE-CONSTRAINED ENVIRONMENTS

Intelligent management of user interface and device sensed events is provided. Discrete events generated through interactions between a user and a machine are monitored, the interaction performed via a user interface associated with an application running on the machine, the discrete events stored by sessions in a storage device local to the machine as event logs. Network connection pattern of the machine with a server device is determined. Storage constraints of the storage device are determined based on the monitoring and the network connection pattern. The event logs are compacted by progressively summarizing the discrete events on dynamically adjusted segments of the sessions. The compacted event logs are transmitted to the server device responsive to determining that a network connection between the machine and the server device is available.

Supplementing network flow analysis with endpoint information

Techniques are disclosed for facilitating analysis of cloud activity. A cloud activity analysis agent may run within a virtual machine in a cloud computing environment to collecting information regarding computing activity within the virtual machine. The cloud activity analysis agent may include, in network flow data records, cloud activity data based on the collected information. The cloud activity analysis agent may then transmit the network flow data records to a network device for flow analysis. In some embodiments, the network flow data records are transmitted to a network flow analyzer that is configured to receive the cloud activity data and is further configured to receive network flow data from one or more flow collectors within a network of the entity. The network flow analyzer may then perform a security analysis for the entity based on the network flow data and the cloud activity data.

TRIGGER BASED NULL DATA PACKET TRANSMISSION METHOD AND RELATED APPARATUS

This application relates to the field of wireless communication, and is applied to a wireless local area network supporting an 802. 1 The standard, and in particular, to a trigger based null data packet transmission method and a related apparatus, where the method includes: receiving, by an EHT station, an NFRP trigger frame; determining whether a resource for scheduling the EHT station is in an EHT modulation bandwidth or an HE modulation bandwidth based on information in the NFRP trigger frame; and sending an EHT TB NDP if the resource is in the EHT modulation bandwidth; or sending an HE TB NDP if the resource is in the HE modulation bandwidth, where the NFRP trigger frame includes a first user information field, and is used to schedule the EHT station to send the HE TB NDP in the HE modulation bandwidth and send the EHT TB NDP in the EHT modulation bandwidth. According to embodiments of this application, the EHT station may be scheduled to send the EHT TB NDP to feed back a report, and ...

Computer network management tools

A network device for computer network operation comprising a processor and a memory, wherein a set of object identifiers (OID) and a set of device management identifiers are stored in the memory, wherein each object identifier is mapped to a corresponding device management parameter to facilitate management of the network device, and the set of device management identifiers collective represents the set of object identifiers; and wherein the network device is to make available the device management identifiers and values corresponding to the device management parameters to facilitate network management.

Processing local area network diagnostic data

METHOD AND APPARATUS FOR MEASUREMENT OF PEAK THROUGHPUT IN PACKETIZED DATA NETWORKS

A system for measuring peak throughput in packetized data networks includes a remote monitoring probe (12) and console (16). The probe (12) is connected t o the network to monitor network activity, while the console is in communicati on with the probe via the network or other communications medium. The probe maintains a plurality of counters associated with different ranges of percentage of utilization of network bandwidth. For each sampling interval, the probe measures the network and individual network circuit bandwidth utilization and increments the appropriate counters associated with the percentage ranges encompassing the measured bandwidth utilizations. The console polls the probe for the percentage counter data to display the netwo rk bandwidth utilization in the form of a bar graph and pie chart. The network bandwidth may then be adjusted based on the displayed data.

SCALING OPERATIONS, ADMINISTRATION, AND MAINTENANCE SESSIONS IN PACKET NETWORKS

Operations, Administration, and Maintenance (OAM) scaling systems and methods are implemented by a network function performed by one of a physical network element and a virtual network element executed on one or more processors. The OAM scaling method includes providing N packet services, N is an integer; and, responsive to determined OAM session scaling limits, providing OAM sessions for the N packet services in an oversubscribed manner, wherein the determined OAM session scaling limits include M OAM sessions supported by the network function, M is an integer and less than N.

TELECOMMUNICATION DIAGNOSTIC INFORMATION MANAGEMENT

A diagnostic tool is adapted to include the capability of initiating one or more diagnostic tests, collecting the raw data from the diagnostic test(s) and transporting the raw diagnostic data to an OSS (100). The OSS (100) interprets the raw diagnostic data and stores the results in a database. The stored results can be searched, sorted, manipulated, analyzed, and the like. The results of any of these operations can then be, for example, displayed to one or more entities such as customer support, network operators, network planners, or the like.

SYSTEM AND METHOD FOR PROCESSING DATA ASSOCIATED WITH A TRANSMISSION IN A DATA COMMUNICATION SYSTEM

A method and system are provided for processing large amounts of data associated with messages and other transmissions that are routed through a data communications system. A distributed system is used to process the data in parallel. The system includes a master processor and at least one additional processor. The master processor is responsible for obtaining the data and routing the data to the additional processors. The additional processors filter the data for information pertaining to the data and the filter results are combined. An on- demand filter can be run in parallel from a web server which allows dynamic filtering of information that is of interest at a particular time.

Multidimensional statistical performance in the network management device and method for obtaining data of the

METHODS FOR MONITORING QUANTITIES OF COMPUTING DEVICES, COMPUTER PROGRAM AND DEVICE ASSOCIES

패킷-교환 통신 네트워크에서 패킷 흐름 상 타임 측정

... 통신 네트워크의 제1 노드로부터 제2 노드로 전송될 패킷 흐름상에서의 타임 측정을 수행하는 방법이 개시된다. 상기 방법은: 주어진 블록 주기 동안에 전송된 패킷들에 관련된 전송 타임 파라미터들의 평균을 나타내는 매체 전송 타임 파라미터를 계산하고; 동일한 패킷들에 관련된 수신 타임 파라미터들의 평균을 나타내는 매체 수신 타임 파라미터를 계산하고; 그리고 상기 매체 전송 타임 파라미터 및 상기 매체 수신 타임 파라미터를 이용하여 상기 블록 주기 동안에 상기 패킷 흐름의 평균 성능을 나타내는 매체 타임 측정을 계산하는 것을 포함한다.

FIRST TUNNEL APPARATUS AND SECOND TUNNEL APPARATUS CONSTITUTING NETWORK TUNNEL, AND METHOD FOR FORWARDING VERIFICATION PACKET THEREBY

The present invention relates to a method for forwarding a verification packet by a first tunnel apparatus and a second tunnel apparatus constituting a network tunnel, in an environment where a network test is carried out by a header space analysis (HSA) technique. According to an embodiment of the present invention, the method for forwarding a verification packet comprises the following steps of: allowing the first tunnel apparatus to receive a verification packet and a test message for the test of a network from a first external apparatus; allowing the first tunnel apparatus to accumulate, in the test message, identification information of the network tunnel and a depth value of the verification packet in the network and to record the same; allowing the first tunnel apparatus to transmit the test message and the verification packet to a different tunnel apparatus or the second tunnel apparatus; allowing the second tunnel apparatus to accumulate information, which has been recorded in ...

método para realizar uma medição de tempo em um fluxo de pacote, nó para uma rede de comunicação, rede de comunicação, e, produto de programa de computação

FUZZ TESTING APPARATUS AND FUZZ TESTING METHOD

DEVICE AND METHOD FOR MANAGING A NETWORK SERVICE

A management device (4) for managing at least one application data transmission support network session established by a destination entity (2), the management device comprising: a network information management module for obtaining information relative to an underlying transport network (6), a service information management module for obtaining information relative to an application, the information relative to the application comprising at least one identifier of a source entity (3) associated with the application, a configuration module for determining a transmission configuration of the application data on the basis of the information relative to the network and the information relative to the application, and a control module for controlling a network session control device (5) on the basis of the determined configuration, characterised in that the determined configuration comprises at least one interception rule on the basis of at least one piece of information relative to said at ...

Efficient network monitoring

According to one aspect of the present disclosure, a computer-implemented method is disclosed, in which a determination is made for each of a plurality of network interfaces of whether an amount of traffic on the network interface exceeds a predefined traffic threshold. Each of the network interfaces whose amount of traffic is below the traffic threshold is excluded from Quality of Service (QoS) polling. For each of the non-excluded network interfaces whose traffic exceeds the traffic threshold, a determination is made of a set of traffic classes transported on the network interface, and any of the traffic classes with a priority level below a cutoff threshold are excluded from QoS polling. For each non-excluded traffic class that has a priority level above the cutoff threshold, a determination is made of a per-class QoS polling rate based on the respective priority level of the traffic class.

HYPERMEDIA-DRIVEN RECORD AND PLAYBACK TEST FRAMEWORK

The present disclosure is directed to systems, methods and devices for converting REST service events for playback. A plurality of web service resource requests comprising at least one operational event and at least one resource event may be received. At least one resource associated with the plurality of web service resource requests may be retrieved. Each operational event resource may be tagged. A correlation ID may be associated with each tagged operational event resource. A plurality of dynamic elements associated with the plurality of web service resource requests may be normalized. One or more event recording timelines for the plurality of web service resource requests may be identified, and the one or more event recording timelines may be evaluated during playback.

On-board network system, communication control method in the on-board network system, and on-board gateway

An on-board network system includes a plurality of controllers connected to a bus, a detecting unit that detects an error that occurs, a measuring unit that measures a degree of error occurrence detected by the detecting unit, and a communication controller that reduces a communication speed and a communication data amount of at least one of the controllers from a first speed and a first data amount to a second speed and a second data amount, when the error occurrence degree becomes equal to or larger than a first degree. The communication controller reduces the communication speed and the communication data amount, such that a first communication time it takes for data to be transmitted at the first speed in the first data amount is longer than a second communication time it takes for data to be transmitted at the second speed in the second data amount.

CONTINUOUS AUTONOMOUS MONITORING OF SYSTEMS ALONG A PATH

In an embodiment, a method comprises initiating a monitoring session for a communication path including creating and storing monitoring session state data; sending, to a first responder computer of the communication path, a first request to initiate a first state servlet that is configured to monitor continuously during the monitoring session one or more characteristics of one or more processes that the first responder computer may perform; sending, to the first responder computer, monitoring instructions to monitor the one or more characteristics of the one or more processes; while the monitoring session is active and the first responder computer is in the communication path, receiving and collecting monitored information from the first responder computer; in response to determining that the first responder computer is not in the communication path or that the monitoring session has become inactive, automatically and autonomously ending the monitoring session.

Systems and methods for processing data flows

A flow processing facility, which uses a set of artificial neurons for pattern recognition, such as a self-organizing map, in order to provide security and protection to a computer or computer system supports unified threat management based at least in part on patterns relevant to a variety of types of threats that relate to computer systems, including computer networks. Flow processing for switching, security, and other network applications, including a facility that processes a data flow to address patterns relevant to a variety of conditions are directed at internal network security, virtualization, and web connection security. A flow processing facility for inspecting payloads of network traffic packets detects security threats and intrusions across accessible layers of the IP-stack by applying content matching and behavioral anomaly detection techniques based on regular expression matching and self-organizing maps. Exposing threats and intrusions within packet payload at or near real-time rates enhances network security from both external and internal sources while ensuring security policy is rigorously applied to data and system resources. Intrusion Detection and Protection (IDP) is provided by a flow processing facility that processes a data flow to address patterns relevant to a variety of types of network and data integrity threats that relate to computer systems, including computer networks.

Analyzing Network Activity by Presenting Topology Information with Application Traffic Quantity

A system for analyzing activity in a network collects, from one or more network components, flow information about traffic in the network. It associates the flow information with one or more application types. It enriches the flow information with topology information about the network. It then presents a report. The report identifies a quantity of traffic flowing into or out of a first network component as traffic corresponding to one application type, and also identifies a second network component to or from which the traffic is being sent.

Flow Statistics Aggregation

There are disclosed methods and apparatus for testing a network. A plurality of packets may be transmitted over the network from one or more source port units. Each transmitted packet may include a packet group identifier (PGID) corresponding to a unique combination of values for a plurality of tracking factors. The packets may be received at one or more destination port units. Each destination port unit may extract the PGID from each received packet and may accumulate traffic statistics for each of the plurality of PGIDs. The accumulated traffic statistics for at least some of the plurality of PGIDs may be aggregated to report summary statistics for a selected tracking factor.

Apparatus and method for collecting and analyzing communications data

A method of monitoring data on a first communication line. Data is received from the first communication line ( 402 ) and a plurality of packets ( 406 ) are extracted ( 416 ) from the data. Statistics are then recursively generated ( 408 ), the statistics corresponding to the plurality of packets.

Evolved Packet System Non Access Stratum Deciphering Using Real-Time LTE Monitoring

A monitoring system is coupled to interfaces in an LTE network and passively captures packets from the network interfaces. First data packets associated with an authentication and key agreement procedure are captured on a first interface. Second data packets associated with the authentication and key agreement procedure are captured on a second interface. Individual ones of the first data packets are correlated to individual ones of the second data packets based upon a same parameter. An authentication vector table is created comprising information from the correlated first data packets and second data packets, wherein entries in the table comprise authentication data for a plurality of security contexts. A cipher key is identified to decipher additional packets for the user. The cipher key can also be identified in case of Inter Radio Access Technology Handover by the user equipment.

Packet analysis system and method using hadoop based parallel computation

The present invention relates to a packet analysis system and method, which enables cluster nodes to process in parallel a large quantity of packets collected in a network in an open source distribution system called Hadoop. The packet analysis system based on a Hadoop framework includes a first module for distributing and storing packet traces in a distributed file system, a second module for distributing and processing the packet traces stored in the distributed file system in a cluster of nodes executing Hadoop using a MapReduce method, and a third module for transferring the packet traces, stored in the distributed file system, to the second module so that the packet traces can be processed using the MapReduce method and outputting a result of analysis, calculated by the second module using the MapReduce method, to the distributed file system.

System integration and test monitoring of immersive video networks

A computing device determines a schedule for monitoring an immersive video-telepresence (IMV-TP) network, and receives, based on the schedule, immersive video (IMV) information directly from one or more of devices, software, or systems associated with the IMV-TP network. The computing device aggregates the received IMV information, generates a report based on the aggregated IMV information, and provides the generated report to one or more users associated with the IMV-TP network.

Identifying remote machine operating system

A method for discovering an operating system of a remote machine includes monitoring network communications to detect a plurality of data packets that were generated by the remote machine. The contents of each detected data packet are read so as to extract a packet signature of each detected data packet. Each packet signature is compared with at least one signature of a database of signatures in order to determine a similarity between each packet signature and the signature from the database. A confidence level for at least one candidate operating system is calculated based on the determined similarities. A candidate operating system is selected based on the confidence level for that operating system. Relating computer program product and data processing system are also disclosed.

Botmaster Traceback

Embodiments locate a botmaster on a network. A honeynet host is configured to join a botnet and generate a watermarked packet flow by applying a watermark to an outgoing packet flow in response to commands from the botmaster. The watermark is applied to the outgoing packet flow by: choosing distinct packets from the outgoing packet flow; forming packet pair(s) from the distinct packets, that include a reference packet and an encoding packet; and encoding bits in the watermark to the packet pair(s) by increasing the length of the encoding packet when watermark bits have a predetermined value. The cooperating node(s) are configured to: inspect passing packet flows for the watermarked packet flow and generate tracking information related to detection of the watermarked packet flow. The path determination processor is configured to analyze the tracking information to locate a path taken by the watermarked packet flow.

Data leakage protection in cloud applications

A computer-implemented method for data leakage protection is disclosed. A monitoring template corresponding to the cloud application is selected based upon communication between a user and a cloud application and from a plurality of monitoring templates. A monitor is generated using the selected monitoring template. Identifying information of content shared between the user and the cloud application is obtained using the generated monitor. Data about the shared content for security analysis is obtained according to the identifying information of the shared content.

Device and method for identifying the location of anomaly link with link candidates refined by means of the number of overlapping abnormal flows

In an anomaly locating device, a flow information collector collects flow information on flows between terminal devices from observation nodes arranged at observation points over a telecommunications network, and an anomaly location narrow-downer counts, based on the flow information, the number of overlapping abnormal flows passing through each link connected to the observation points to determine a link having the largest number of overlapping abnormal flows from among the links connected to the observation points. The anomaly location narrow-downer then collects link candidates reachable by routing via the link thus determined. An anomaly link identifier narrows down the collected link candidates to an abnormal link.

Method for operating a fieldbus interface

A method for operating a fieldbus interface, which is connected to a fieldbus of process automation technology. The method includes the steps as continuous monitoring of data traffic on the fieldbus by the fieldbus interface; need-dependent performing of active communication by the fieldbus interface in parallel with the monitoring of the data traffic; and registering by the fieldbus interface of monitored information concerning network management of the fieldbus.

Mobile communication system, constituent apparatuses thereof, traffic leveling method and program

A mobile communication system includes a traffic monitoring apparatus arranged between predetermined nodes in a mobile network for monitoring a traffic amount between the nodes; and a traffic control apparatus that outputs control information to the predetermined nodes based on a report from the traffic monitoring apparatus wherein the control information instructs the predetermined nodes to level the traffic amount.

Apparatus, an assembly and a method of operating a plurality of analyzing means reading and ordering data packets

A system and a method of operating the system, the system having a plurality of data receiving elements each receiving data packets from a data connection and from another receiving element and forwarding the two data packets to another receiving element in a predetermined order. If, at a point in time, only one data packet is received, a period of time is allowed to elapse, and if a second data packet is received, the two packets are output in the order. If not, the received data packet is output.

Systems and methods for analyzing network metrics

The present solution is directed to systems and methods for providing, by a device intermediary to a plurality of clients and one or more servers, analytics on a stream of network packets traversing the device. The systems and methods include the device identifying, while the device manages network traffic between the plurality of clients and the one or more servers, a stream of network packets, from a plurality of streams of network packets of the network traffic traversing the device, corresponding to a flow identifier, e.g., a selected one of an internet protocol address, a uniform resource locator or an application identifier. The systems and methods may include a collector of the analytics engine collecting, while the device manages network traffic, metrics on the identified stream of network packets and generating one or more stream objects that comprise the collected metrics.

Flow-based rate limiting

A device may include logic configured to receive a packet, identify a flow associated with the packet in a flow table, and identify a rate limit associated with the flow in the flow table. A current rate associated with the flow may be calculated based on the packet. It may be determined whether the current rate associated with the flow exceeds the rate limit associated with the flow. If so, the packet may be discarded or tagged as “over limit.”

Testing an upstream path of a cable network

An apparatus and method for testing an upstream path of a cable network are disclosed. The upstream path is tested by capturing and analyzing upstream data packets generated by a specific terminal device. A test instrument is connected at a node of the cable network. The test instrument establishes a communication session with the headend, informing the headend of an identifier of the device that will generate the test upstream data packet. The test upstream data packet is captured and analyzed at the headend, so that the results of the analysis can be communicated back to the test instrument. To speed up the packet capturing and filtering process, the upstream data packets can be pre-filtered based on packet duration and/or arrival time.

Method, device, and computer program product for detecting and encoding states for accurate measurement

A method, device, and program for determining states in a flow of packets are provided. A flow of transmitted packets is received. When the difference between the sequence number of the arriving packet and the next expected sequence number is equal to zero and when the TTL number of the arriving packet is equal to the TTL number of the previous packet, there is a stable state beginning with the first of the consecutively received packets. If a difference between the sequence number of an arriving packet and a next expected sequence number is greater than 1, or TTL of the arriving packet is not equal to the TTL number of the previous packet, there is a not stable state. Time between end of one stable state and start of the next stable state is the hole, and the states and holes correlate to events for analysis of the network.

Method for creating stream forwarding entry, and data communication device

The present disclosure provide a method for creating a stream forwarding entry includes: receiving, by a data communication device, a packet; making statistics on the received packet to obtain a statistical value of a stream corresponding to the packet; judging whether the statistical value of the stream exceeds a preset threshold value; and if exceeds the preset threshold value, creating, by the data communication device, a stream forwarding entry for the stream corresponding to the packet, and performing stream forwarding for subsequent packets of the stream according to the stream forwarding entry. Through the present disclosure, the number of stream forwarding entries in a stream table is reduced, the required storage space is reduced, and the maintenance of the stream table is simplified; moreover, the data communication device is not vulnerable to attacks of denial of service and is highly secure.

Method and apparatus for identifying application protocol

In an embodiment, the method of identifying an application protocol includes classifying a data packet to be detected into an individual traffic flow, searching for keywords in a valid payload of the traffic flow based upon a keyword database of identifiable application protocols, and determining a keyword weight vector of the traffic flow. The weight of a keyword is related to a location of the keyword in a valid payload of a traffic flow. Similarities between the keyword weight vector of the traffic flow and feature keyword weight vectors of the identifiable application protocols are determined; and an application protocol corresponding to a feature keyword weight vector with the highest similarity to the keyword weight vector of the traffic flow as the application protocol of the traffic flow is determined if a condition is satisfied.

Traffic Item Impairment Emulation

An impairment unit, method, and machine readable storage media for emulating network impairments. A first network interface may receive network traffic including a plurality of received packets. A classifier may determine an impairment class of each received packet based on test information contained within a payload portion of each received packet, the impairment class of each received packet being one of a plurality of impairment classes, each impairment class uniquely associated with a corresponding one of a plurality of impairment profiles. An impairment engine may impair each of the plurality of impairment classes in accordance with the corresponding impairment profile to provide impaired network traffic. A second network interface may transmit the impaired network traffic to the network.

Policy-Enabled Dynamic Deep Packet Inspection for Telecommunications Networks

Provided herein is a method including the steps of: establishing at least one policy in a centralized policy management framework (PMF), wherein the policy includes at least one policy condition; monitoring data traffic; determining if the data traffic at least substantially meets one of the policy conditions; sending a trigger to the PMF, if at least one of the policy conditions is at least substantially met; generating an enforcement decision at the PMF, wherein the enforcement decision includes at least one enforcement action; sending the enforcement decision to an enforcement function; and enforcing the enforcement decision. A system for realizing this method is also provided.

Method and System for Determination and Exchange of Network Timing Information

Aspects of methods and systems for determination and exchange of network timing information are provided. In one such method, a propagation delay of a network physical link is determined using a plurality of time stamps. The time stamps are provided by one or more sending nodes traversed by a packet along the network physical link. The length of the network physical link is calculated, utilizing the determined propagation delay. The determined propagation delay and/or the length of the network physical link is appended to the packet.

System for organizing and fast searching of massive amounts of data

A system to collect and analyze performance metric data recorded in time-series measurements, converted into unicode, and arranged into a special data structure. The performance metric data is collected by one or more probes running on machines about which data is being collected. The performance metric data is also organized into a special data structure. The data structure at the server where analysis is done has a directory for every day of performance metric data collected with a subdirectory for every resource type. Each subdirectory contain text files of performance metric data values measured for attributes in a group of attributes to which said text file is dedicated. Each attribute has its own section and the performance metric data values are recorded in time series as unicode hex numbers as a comma delimited list. Analysis of the performance metric data is done using regular expressions.

Method of identifying a protocol giving rise to a data flow

Method of identifying a protocol at the origin of a data flow. The method of identifying a protocol giving rise to a packet flow comprises the following steps: a capture of the flow of the protocol to be identified, statistical classification of the flow, comprising an extraction of the classification parameters and a comparison of the classification parameters with statistical models constructed during a learning phase. The statistical classification comprises: a first phase of global statistical classification; and a step of synthesis of the results of the first and second classification phases so as to identify the protocol giving rise to the flow.

Communication system, node, statistical information collection device, statistical information collection method and program

For use in a communication system where communication is carried out by setting a packet handling operation (flow entry) in the nodes by a control device, the present invention provides a configuration in which statistical information may be collected at a desired information granularity level without increasing the control load of the control device. A node of the communication system includes a packet processing unit that processes a received packet according to a packet handling operation defining a matching rule and processing of a packet that matches the matching rule; and a statistical information recording unit that records statistical information on a packet according to a division different from the matching rule, and a statistical information collection device is provided that issues an instruction on a division, according to which the statistical information is to be recorded, to the node and collects the statistical information.

Equipment for femtocell telecommunications system

A femtocell telecommunication system equipment comprising: a base apparatus structured to provide a first information signal and control signals; an electrical conductor based transmission line connected to said base apparatus; a bidirectional conversion apparatus adapted to receive/transmit from/on the transmission line the first signal and the control signals; the bidirectional apparatus comprising: a processing module structured to process the first signal to generate a second information signal and vice-versa; the second signal being adapted to be transmitted/received by an antenna device connectable to the bidirectional apparatus.

Differentiated Handling of Network Traffic using Network Address Translation

In order to allow efficient differentiated handling of network traffic in a network section, a network address translator performs network address translation on incoming data packets to be transmitted into the network section and/or on outgoing data packets transmitted from the network section. In the incoming data packets, the network address translation replaces a source network address with a replacement network address. In the outgoing data packets, a replacement network address is included in place of a destination address, and the network address translation replaces the replacement network address with the destination network address. In each case, the replacement network address is selected according to a traffic class of the data packet. In the network section, differentiated handling of the data packets on the basis of the replacement network address is provided.

Data collection device for monitoring streams in data network

The invention relates to a data collection device for monitoring streams in a data network using a packet transmission mode, including an extractor for extracting data contained in packets belonging to a stream defined by a transmitter, a receiver, and a protocol. The collection device also includes a syntax analyzer which receives data in real time from the extractor and breaks the data down into elements according to the syntactic rules of the protocol, said syntactic rules enabling the elements to be represented as a tree structure. The syntax analyzer combines respective tree state indicators with at least some of the elements, wherein the tree state indicator combined with an element locates said element within the tree structure. An interface transmits the tree state indicators, together with the elements with which the latter have been combined, to a stream analyzer external to the collection device.

Systems and methods for extracting structured application data from a communications link

Systems and methods for generating a semantic description of operations between network agents. In an embodiment, packet-level traffic between two or more network agents is captured. The packet-level traffic is bundled into one or more messages, wherein each message comprises one or more elements. For each of the messages, the elements of the message are matched to one or more attributes, and the message is decoded into message data based on the matched attributes. The message data is then used to generate a semantic description of operations between the network agents.

Remote monitoring and controlling of network utilization

A non-transitory computer-readable storage medium storing instructions which, when executed by processors, cause the processors to perform: at a management computer, receiving, from a gateway located in a managed network, device information about devices in the managed network; for a particular device: determining a match between the device capabilities of the particular device and features of a particular network software application configured to control the particular device, and determining a particular protocol endpoint configured to communicate control instructions from the particular network software application to the particular device; receiving, from the gateway, aggregated data that reflects network utilization by the devices located in the managed network; for the particular device: based at least in part on the aggregated data, using the particular network software application, determining control instructions for the particular device; causing the particular protocol endpoint to transmit the control instructions for the particular device to the device.

System and method for reducing netflow traffic in a network environment

A an example method includes building a dictionary between an exporter and a collector by encoding a first data record of a flow according to a dictionary template and exporting the first data record to the collector via a network communication. The method can also include compressing a second data record of the flow using the dictionary, where the compressing comprises encoding the second data record according to an encoding template; and exporting the second data record to the collector to be decompressed using the dictionary.

Systems and methods related to improved isolation between transmit and receive radio-frequency signals

Disclosed are systems and methods for improving isolation between transmit and receive radio-frequency (RF) signals. In some embodiments, a system can be implemented for isolating RF signals during Tx and Rx operations. The system can include a Tx path and an Rx path, with the Tx path having a filter. In some embodiments, the Tx path can include a power amplifier having a plurality of interstages and an output stage, and the filter can be implemented at one of the interstages and before the output stage. The system can further include first and second antennas connected respectively to the Tx and Rx paths. The Tx path, the Rx path, and/or the first and second antennas can be configured to yield a desired level of isolation between the RF signal in the Tx and Tx paths.

METHOD, APPARATUS, AND SYSTEM FOR FLOW MEASUREMENT

Embodiments of the present invention provide a method, an apparatus, and a system for flow measurement, which are used to reduce management bandwidth of a controller over a forwarding device. The method includes: receiving a data flow sent by a forwarding device, and knowing the type of the data flow by parsing the data flow; if the type of the data flow is a preset type in a measurement flow type set, obtaining a feature identifier carried in the data flow and packet header information of the data flow, and obtain operation information corresponding to the data flow, and adding a measurement operation for the feature identifier to the operation information, where the operation information is used to record various operations of the data flow; and sending, to the forwarding device, the packet header information and the operation information added with the measurement operation for the feature identifier. 1. A method for flow measurement , comprising:receiving a data flow sent by a forwarding device, wherein the data flow comprises a feature identifier, and obtaining a type of the data flow by parsing the data flow;if the type of the data flow is a preset type in a measurement flow type set, obtaining the feature identifier and packet header information of the data flow, and obtaining operation information corresponding to the data flow, and adding a measurement operation for the feature identifier to the operation information, wherein the operation information is used to record various operations of the data flow; andsending, to the forwarding device, the packet header information and the operation information added with the measurement operation for the feature identifier, so that the forwarding device performs traffic measurement on the data flow according to the feature identifier.2. The method according to claim 1 , after the receiving the data flow sent by the forwarding device and identifying the type of the data flow claim 1 , further comprising:if the type ...

Generating and/or receiving at least one packet to facilitate, at least in part, network path establishment

An embodiment may include circuitry to be included, at least in part, in at least one node in a network. The circuitry may generate, at least in part, and/or receive, at least in part, at least one packet. The packet may be received, at least in part, by at least one switch node in the network. The switch node may designate, in response at least in part to the packet, at least one port of the switch node to be used to facilitate, at least in part, establishment, at least in part, of at least one path for propagation of at least one flow between at least two other nodes in the network. The packet may be generated based at least in part upon (1) at least one application classification, (2) at least one allocation request, and (3) network resource availability information.

Network feedback in software-defined networks

One embodiment of the present invention provides a computing system capable of providing feedback to a controller in a software-defined network. The computing system includes a policy management module and a communication module coupled to the policy management module. During operation, the policy management module recognizes a local policy indicating how a data flow is to be processed and identifies a data flow associated with the policy. The communication module constructs a request for a flow definition from a controller in a software-defined network. A flow definition indicates how the data flow is processed in the software-defined network.

Apparatus, methods, and systems for character set surveying of network traffic

Apparatus, methods, and systems for use in analyzing a flow of network traffic between a first network and a second network are provided. One example method includes scanning the network traffic between the first and second networks. The network traffic includes a plurality of data packets. The method includes determining a character set included in each of the plurality of data packets, and storing an indication of each character set included in each scanned data packet.

Virtual data loopback and/or data capture in a computing system

A method for enabling virtual data loopback in a computing system may include forwarding a data packet from a first device to a second device; the second device identifying from the data packet egress interface information indicating a first interface for forwarding the data packet out of the computing system; based on the first interface identified from the egress interface information, automatically determining a second interface to the first interface; inserting into the data packet ingress interface information that indicates the second interface; forwarding the data packet, including the ingress interface information, back to the first device; and the first device identifying the ingress interface information indicating the second interface; such that the data packet is looped back to the first device without being communicated via the first or second interface, and such that from the perspective of the first device the data packet was received via the second interface.

Methods and apparatus for analyzing network traffic in a network including a plurality of network analyzers

Methods and apparatus for analyzing network traffic in a network are disclosed herein. The network may include a plurality of network analyzers. An method for analyzing network traffic may include: receiving a data packet at a first network element including a first header that indicates a destination address of a second network element; generating a new data packet including a copy of at least a portion of the received data packet and a second header that indicates a destination address of a plurality of network elements that are configured to monitor the network traffic; transmitting the received data packet to the second network element; and separately transmitting the new data packet. The new data packet may be replicated by one or more network elements along transmission paths between the first network element and the plurality of network elements that are configured to monitor the network traffic.

Method and device for extracting data from a data stream travelling around an ip network

In a phase of configuration, a state machine ( 20 ) is constructed with states and transitions configured according to at least one type of data to be extracted from a data stream travelling around an IP network. The transitions between states are activated by conditions defined as a function of rules of organization of the data of the stream according to an application layer protocol. One or more states are moreover selected for the extraction of data from the stream. Thereafter, in a phase of real-time analysis of the stream, the stream data arising from IP packets travelling successively around the network are observed. When the state machine is in a current state, a search is conducted as to whether a condition of activation of a transition to a target state is realized by the data observed from the stream, and when such an activation condition is realized, the state machine is toggled into the target state. The data from the stream are extracted when the state machine is in a state selected in the configuration phase.

DUPLICATING NETWORK TRAFFIC THROUGH TRANSPARENT VLAN FLOODING

An approach to duplicating network traffic is described. In one approach, a method of creating multiple copies of network traffic is detailed. The method involves receiving network traffic, producing a duplicate copy of the network traffic, and forwarding the duplicate copy to a monitoring port. The monitoring port forwards copies to a number of indicated ports. 1. A method of creating multiple copies of network traffic , comprising:receiving network traffic;producing a duplicate copy of said network traffic;forwarding said duplicate copy to a monitoring port; andforwarding a plurality of copies of said duplicate copy from said monitoring port to a plurality of ports.2. The method of claim 1 , further comprising:identifying said network traffic as traffic to be duplicated.3. The method of claim 2 , wherein said identifying comprises determining if said network traffic matches a defined parameter.4. The method of claim 3 , wherein said defined parameter comprises a specified networking protocol.5. The method of claim 3 , wherein said defined parameter comprises a specified recipient network address.6. The method of claim 3 , wherein said defined parameter comprises a specified sender network address.7. The method of claim 1 , wherein said receiving comprises receiving said network traffic into a network device via one of said plurality of ports.8. The method of claim 1 , wherein said producing said duplicate copy comprises:configuring a port to implement port mirroring; andapplying said port mirroring to said network traffic to produce said duplicate copy.9. The method of claim 1 , wherein said forwarding said plurality of copies of said duplicate copy comprises:including said monitoring port and said plurality of ports in a specified virtual local area network (VLAN);disabling media access control (MAC) address learning for said monitoring port; andflooding said specified VLAN with said plurality of copies.10. The method of claim 1 , further comprising:transmitting ...

METHOD AND SYSTEM FOR MANAGING A DISTRIBUTED NETWORK OF NETWORK MONITORING DEVICES

Network traffic information for nodes of a first logical hierarchy is stored at a monitoring device according to ranks of the nodes within the logical hierarchy as determined by each node's position therein and user preferences. At least some of the network traffic information stored at the network monitoring device may then be reported to another network monitoring device, where it can be aggregated with similar information from other network monitoring devices. Such reporting may occur according to rankings of inter-node communication links between nodes of different logical hierarchies of monitored nodes. 1. A network monitoring system comprising:a plurality of network monitoring devices that monitor network traffic data from a plurality of nodes of a network, each network monitoring device being configured to collect network traffic data from an assigned subset of the nodes in the network, anda central network monitoring device that is configured to receive at least a portion of the network traffic data collected by the network monitoring devices;wherein at least one of the network monitoring devices is configured to select fewer nodes than its assigned subset of nodes for collecting network traffic data, based on a capacity of the network monitoring device and a priority associated with each node of its assigned subset of nodes.2. The network monitoring system of claim 1 , wherein the priority associated with at least one of the nodes is based on a number of network monitoring devices that provide network traffic data associated with this node to the central network monitoring device.3. The network monitoring system of claim 1 , wherein each subset of assigned nodes includes a root node claim 1 , each of the nodes of the subset being hierarchically related to the root node claim 1 , and the priority associated with each node is based on a hierarchical distance of the node from the root node.4. The network monitoring system of claim 1 , wherein each subset of ...

Method and Apparatus For Quality of Service Monitoring of Services in a Communication Network

The present invention relates to a method of quality of service monitoring of at least one service in a communication network. The method comprises a first and a second modes. The first mode comprises detecting degradation in quality of service in a communication network by selecting () a set of terminal service sessions for providing terminal service session reports; collecting () terminal service session information from the selected terminal service sessions; and determining () the quality of service in the evaluate quality of service communication network from the terminal service sessions monitored in the first mode. The second mode, being entered when a degradation of service quality in at least part of terminal service sessions is detected (), comprises identifying at least one factor causing degradation of service quality in the communication network in steps of determining () at least one potential factor associated with terminal service sessions having degraded service quality as a candidate factor potentially causing the observed service quality degradation in at least part of the terminal service sessions; collecting () terminal service session information from terminal service sessions associated with at least one candidate factor; and evaluating () collected terminal service session information for service sessions associated with a candidate factor to identify whether the candidate factor is a cause of service quality degradation. 1. A method of quality of service monitoring of at least one service in a communication network , comprising:selecting a set of terminal service sessions for providing terminal service session reports;collecting first terminal service session information from the selected terminal service sessions; anddetermining the quality of service in the communication network from the first terminal service session information; andidentifying at least one factor causing a degradation of service quality in the communication network, ...

Adaptive centralized collection of performance management data using a metamodel

A method is provided for obtaining performance measurements via metamodels streamed from multiple types and models of network devices connected to a network. The method comprises installing a generic collection agent on a server connected to the network, retrieving the metamodels from the network devices by the collection agent, storing the metamodels in a collection of metamodels on the server to be accessed by the collection agent and the network devices, analyzing the metamodels to provide the network devices with addressing information, streaming the performance measurements from the network devices to the collection agent using the addressing information, and analyzing and storing the performance measurements for later use.

System and method for network traffic aggregation and analysis of mobile devices using socket wrappers

This disclosure describes systems, methods, and apparatus for per-application network traffic monitoring by extending socket functionality to include socket wrappers able to identify network traffic volume, applications responsible for the traffic, the network being loaded, and distinguish between internal device traffic and external network traffic. Network traffic shaping can then be carried out by managing an offending application's traffic.

SYSTEM AND METHOD OF HIGH VOLUME RULE ENGINE

A rule engine configured with at least one hash table which summarizes the rules managed by the engine. The rule engine receives rules and automatically adjusts the hash table in order to relate to added rules and/or in order to remove cancelled rules. The adjustment may be performed while the rule engine is filtering packets, without stopping. The rules may be grouped into a plurality of rule types and for each rule type the rule engine performs one or more accesses to at least one hash table to determine whether any of the rules of that type match the packet. In some embodiments, the rule engine may automatically select the rule types responsive to a set of rules provided to the rule engine and adapt its operation to the specific rules it is currently handling, while not spending resources on checking rule types not currently used. 1. A method of screening data packets for matching rules by a processing unit , comprising:receiving packets, by the processing unit;generating for each received packet, one or more first lookup keys from one or more fields of the packet;accessing, for the generated one or more first lookup keys, a data structure which correlates between key values and records indicating further acts to be performed in determining whether a packet corresponding to the key value matches a rule, wherein at least some of the records indicate one or more specific tests to be applied to the packet to determine whether the packet matches a rule, which specific tests are adjusted to the value of the key used in accessing the record;performing the further acts indicated by the accessed record so as to determine whether the packet matches a rule; andapplying rules determined to match packets, to the matching packets.2. The method of claim 1 , wherein generating the one or more first lookup keys comprises generating at least one first lookup key based on a plurality of fields of the packet.3. The method of claim 1 , wherein generating at least one of the lookup ...

Systems and methods to filter out noisy application signatures to improve precision of first packet application classification

The system and methods discussed herein provide for filtering out noisy application signatures to improve the precision of first packet application classification. In some implementations, the system receive application signatures from devices along with their network identifiers. Based upon the frequency at which identical application signatures appear as originating from distinct network environments, the system determines the validity of application signatures and avoids storing irrelevant information for routing network traffic.

SYSTEMS AND METHODS FOR FILTERING ELECTRONIC ACTIVITIES BY PARSING CURRENT AND HISTORICAL ELECTRONIC ACTIVITIES

The present disclosure relates to systems and methods for filtering electronic activities. The method includes identifying an electronic activity. The method includes parsing the electronic activity to identify one or more electronic accounts in the electronic activity. The method includes determining, responsive to parsing the electronic activity, that the electronic activity is associated with an electronic account of the one or more electronic accounts. The method includes selecting, based on the electronic account, one or more filtering policies associated with the data source provider to apply to the electronic activity. The method includes determining, by applying the selected one or more filtering policies to the electronic activity, to restrict the electronic activity from further processing based on the electronic activity satisfying at least one of the selected one or more filtering policies. The method includes restricting, the electronic activity from further processing. 1. A method comprising:identifying, by one or more processors, an electronic activity associated with a data source provider;parsing, by the one or more processors, the electronic activity to identify one or more electronic accounts in the electronic activity;determining, by the one or more processors, responsive to parsing the electronic activity, that the electronic activity is associated with an electronic account of the one or more electronic accounts, the electronic account corresponding to the data source provider;selecting, by the one or more processors based on the electronic account, one or more filtering policies associated with the data source provider to apply to the electronic activity, the selected one or more filtering policies including at least one of i) a keyword policy configured to restrict electronic activities including a predetermined keyword; ii) a regex pattern policy configured to restrict electronic activities including one or more character strings that match ...

Event ingestion management

A network communication device executes both a service function related to processing network traffic and a lower priority monitoring function. The network device performs an event ingestion throttling method to process events while deferring to the higher priority function. The method includes obtaining an event for a first queue from a plurality queues the event responsive to a change in a local database of the network communication device. Determining if an event queue entry is available or if the event queue is full. Determining if a total of in-use queue entries is higher than a threshold. Using an event scheduler monitor function to determine whether or not to initiate throttling of events for the monitor function in favor of the service function based on a combination of either individual queues becoming full or a backlog across all queues representing a reason to initiate throttling.

TRANSCEIVER ARRANGEMENT AND COMMUNICATION DEVICE

A transceiver arrangement is disclosed. The transceiver arrangement comprises a receiver arranged for frequency-division duplex communication with a communication network and a transmitter arranged for frequency-division duplex communication with the communication network. The transceiver arrangement also comprises a transmission port anda phase shifter arrangement which comprises a first 180° phase shifter and a second 180° phase shifter. The transceiver arrangement further comprises a filtering arrangement. The filtering arrangement comprises filters of a first type and filters of a second type. The filtering arrangement and the phase shifter arrangement are arranged to connect the receiver, transmitter and transmission port forming a first signal path between the transmission port and the transmitter by a first one of the filters of the first type and the first phase shifter in series, a second signal path between the transmission port and the transmitter by a second one of the filters of the first type and a first one of the filters of the second type in series, a third signal path between the transmission port and the receiver by a second one of the filters of the second type and the second phase shifter in series, and a fourth signal path between the transmission port and the receiver by a third one of the filters of the second type and a third one of the filters of the first type in series. The filters of the first type are arranged to pass signals at transmitter frequency and attenuate signals at receiver frequency, and the filters of the second type are arranged to attenuate signals at transmitter frequency and pass signals at receiver frequency. A communication device capable of frequency division duplex communication comprising such a transceiver arrangement is also disclosed. 1. A transceiver arrangement comprisinga receiver arranged for frequency-division duplex communication with a communication network;a transmitter arranged for frequency-division ...

MULTI-LEVEL DATA CHANNEL AND INSPECTION ARCHITECTURES HAVING DATA PIPES IN PARALLEL CONNECTIONS

Aspects of the disclosure relate to inspecting a data stream. Some aspects include conveying the data stream through a multi-level data channel and inspection architecture. The architecture includes a multi-level data pipeline. The pipeline includes a plurality of parallel pipes. The output of one pipe provides an input to a successive one of the pipes. The method further includes receiving the data stream at an upstream portion of the pipeline and inspecting data in the data stream for converting the data stream into inspected data. The method then outputs inspected data at a downstream portion of the pipeline. Each of the pipes inspect the data on a different level of data channel inspection than the other pipes. Each level of data channel inspection has data attributes and/or metadata extracting capabilities. Each pipe transfer data packets at greater than or equal to a threshold data transfer rate. 115-. (canceled)16. A method for inspecting a data stream , said method comprising: receiving the data stream at an upstream portion of the pipeline;', 'inspecting data in the data stream, the inspecting data for converting the data stream into inspected data; and', 'outputting inspected data at a downstream portion of the pipeline;, 'conveying the data stream through a multi-level data channel and inspection architecture, said architecture comprising a multi-level data pipeline, said pipeline comprising a plurality of pipes, the conveying comprising each of the plurality of pipes is coupled in parallel to one another within the multi-level data pipeline such that an input of each of the plurality of pipes is coupled to the upstream portion of the pipeline and an output of each of the plurality of pipes is coupled to provide the inspected data at the downstream portion of the pipeline;', 'each of the plurality of pipes is configured to inspect the data on a different level of data channel inspection than any of the other of the plurality of pipes, each level of data ...

MONITORING WIRELESS ACCESS POINT EVENTS

A wireless access point system includes a processor configured to tap event data and process the event data using a plurality of event filters. Each event filter of the plurality of event filters applies event criteria to detect one or more types of events. The wireless access point system includes a memory configured to store the tapped event data. The wireless access point system includes a communication interface configured to report a report of a detected event type, wherein At least a portion of the report is correlated to analyze a performance of a wireless network. 1. A wireless access point system , comprising:a processor configured to tap event data and process the event data using a plurality of event filters, wherein each event filter of the plurality of event filters applies event criteria to detect one or more types of events;a memory configured to store the tapped event data; anda communication interface configured to report a report of a detected event type, wherein at least a portion of the report is correlated to analyze a performance of a wireless network.2. The system of claim 1 , wherein the event data includes analytic data quantifying network performance.3. The system of claim 1 , wherein the performance of the wireless network includes a wireless network performance of a client of the wireless access point system.4. The system of claim 1 , wherein at least the portion of the report is correlated with location information of a client of the wireless access point system to analyze the performance of the wireless network.5. The system of claim 1 , wherein at least a portion of the report is correlated with at least a portion of another report of a different detected event type.6. The system of claim 1 , wherein at least a portion of the report is correlated with at least external data detected external to a network of the wireless access point system.7. The system of claim 1 , wherein at least a portion of the report is correlated with at least a ...

APPARATUS AND METHOD OF IDENTIFYING A USER PLANE IDENTIFIER OF A USER DEVICE BY A MONITORING PROBE

The present disclosure relates to methods of tracking user specific tunnels in wireless communication networks, such as a UTRAN/GERAN connected to a LTE network. 1. A method of identifying a user plane identifier of a user device by a monitoring probe in communication with at least one network device , the method comprising:monitoring a Serving Gateway over an S4 interface for receipt of a Create Session Request message comprising a first control plane Serving GPRS Support Node fully qualified Tunnel end identifier and an International mobile subscriber identity or a Globally Unique Temporary Identifier, and a first user plane identifier;in response to receipt of the Create Session Request message, monitoring the Serving Gateway over the S4 interface for receipt of a Create Session Response message comprising a second control plane Serving GPRS Support Node fully qualified Tunnel end identifier and a second user plane identifier;in response to receipt of the Create Session Response message, comparing the first control plane Serving GPRS Support Node fully qualified Tunnel end identifier to the second control plane Serving GPRS Support Node fully qualified Tunnel end identifier in order to determine whether or not the first control plane Serving GPRS Support Node fully qualified Tunnel end identifier corresponds to the second control plane Serving GPRS Support Node fully qualified Tunnel end identifier;in response to a determination that the first control plane Serving GPRS Support Node fully qualified Tunnel end identifier corresponds to the second control plane Serving GPRS Support Node fully qualified Tunnel end identifier, outputting the first control plane Serving GPRS Support Node fully qualified Tunnel end identifier, the first user plane identifier and the second user plane identifier to a same memory allocation such that the first user plane identifier and the second user plane identifier are identified as the user plane identifiers of a user device; ...

Method and System for Balancing Storage Data Traffic in Converged Networks

Methods for balancing storage data traffic in a system in which at least one computing device (server) coupled to a converged network accesses at least one storage device coupled (by at least one adapter) to the network, systems configured to perform such methods, and devices configured to implement such methods or for use in such systems. Typically, the system includes servers and adapters, and server agents implemented on the servers and adapter agents implemented on the adapters are configured to detect and respond to imbalances in storage and data traffic in the network, and to redirect the storage data traffic to reduce the imbalances and, thereby to improve the overall network performance (for both data communications and storage traffic). Typically, each agent operates autonomously (except in that an adapter agent may respond to a request or notification from a server agent), and no central computer or manager directs operation of the agents. 1. A system , including:at least one server having at least one server interface, wherein the server is configured to include a server agent and to be coupled to a converged network by the server interface;at least one storage device; andat least one adapter configured to be coupled to the storage device and having at least one adapter interface, wherein the adapter is configured to couple the storage device to the network via the adapter interface, and the adapter is configured to include an adapter agent,wherein the adapter agent is coupled and configured:to monitor data traffic occurring on each said adapter interface of the adapter, and to generate a consumed bandwidth indication for each said adapter interface, where the consumed bandwidth indication for each said adapter interface is indicative of consumed bandwidth of the adapter interface;to generate an available bandwidth indication for each said adapter interface of the adapter, where the available bandwidth indication for each said adapter interface is ...

Leader state transition compression mechanism to efficiently compress dfa based regular expression signatures

A signature matching hardware accelerator system comprising one or more hardware accelerator circuits, wherein each of the hardware accelerator circuit utilizes a compressed deterministic finite automata (DFA) comprising a state table representing a database of digital signatures defined by a plurality of states and a plurality of characters, wherein the plurality of states are divided into groups, each group comprising a leader state having a plurality of leader state transitions and one or more member states, each having a plurality of member state transitions is disclosed. The hardware accelerator circuit comprises a memory circuit configured to store a single occurrence of a most repeated leader state transition within each group, the unique leader state transitions comprising the leader state transitions that are different from the most repeated leader state transition within the respective group; and leader transition bitmasks associated respectively with the leader states within each group.

HARDWARE ACCELERATION ARCHITECTURE FOR SIGNATURE MATCHING APPLICATIONS FOR DEEP PACKET INSPECTION

A signature matching hardware accelerator system comprising one or more hardware accelerator circuits, wherein each of the hardware accelerator circuit utilizes a compressed deterministic finite automata (DFA) comprising a state table representing a database of digital signatures defined by a plurality of states and a plurality of characters, wherein the plurality of states are divided into groups, each group comprising a leader state having a plurality of leader state transitions and one or more member states, each having a plurality of member state transitions is disclosed. The hardware accelerator circuit comprises a memory circuit configured to store the leader state transitions within each group of the compressed DFA, only the member state transitions that are different from the leader state transitions for a respective character within each group of the compressed DFA and a plurality of member transition bitmasks associated respectively with the plurality of member state transitions. 1. A hardware accelerator system for signature matching in a distributed network system comprising one or more hardware accelerator circuits , wherein each of the hardware accelerator circuit utilizes a compressed deterministic finite automata (DFA) comprising a state table representing a database of digital signatures defined by a plurality of states and a plurality of characters , wherein the plurality of states are divided into groups , each group comprising a leader state having a plurality of leader state transitions and one or more member states , each having a plurality of member state transitions , the one or more hardware accelerators comprising: the leader state transitions within each group of the compressed DFA;', 'only the member state transitions that are different from the leader state transitions for a respective character within each group of the compressed DFA; and', 'member transition bitmasks associated respectively with the one or more member states, wherein ...

Distributed Network Troubleshooting Using Simultaneous Multi-Point Packet Capture

Some embodiments provide a method for performing a multi-point capture of packets in a network. The method identifies multiple nodes for the multi-point capture in the network. The method configures each node of the multiple nodes to capture a set of packets. The method receives multiple captured packet sets from the multiple nodes. The method analyzes the multiple captured packet sets. 1. A method for performing a multi-point capture of packets in a network , the method comprising:identifying a plurality of nodes for the multi-point capture in the network;configuring each node of the plurality of nodes to capture a set of packets;receiving a plurality of captured packet sets from the plurality of nodes; andanalyzing the plurality of captured packet sets.2. The method of further comprising receiving a configuration for the capture from an administrator of the network.3. The method of claim 2 , wherein the configuration for the capture comprises a session length claim 2 , wherein configuring each particular node comprises identifying a batch duration based on the session length and a set of properties of the particular node claim 2 , wherein receiving a captured packet set from the particular node comprises receiving a plurality of subsets of the set of captured packets claim 2 , wherein each subset comprises packets captured during the batch duration.4. The method of claim 3 , wherein the set of properties of the particular node comprises an amount of memory.5. The method of claim 2 , wherein the configuration comprises a packet filter claim 2 , wherein configuring each node comprises configuring the node to only capture packets that match the packet filter.6. The method of claim 5 , wherein the packet filter identifies a source node and a destination node claim 5 , wherein identifying the plurality of nodes comprises identifying a set of paths between the source node and the destination node.7. The method of claim 2 , wherein the configuration comprises a packet ...

DATA LEAKAGE PROTECTION IN CLOUD APPLICATIONS

A computer-implemented method for data leakage protection is disclosed. A monitoring template corresponding to the cloud application is selected based upon communication between a user and a cloud application and from a plurality of monitoring templates. A monitor is generated using the selected monitoring template. Identifying information of content shared between the user and the cloud application is obtained using the generated monitor. Data about the shared content for security analysis is obtained according to the identifying information of the shared content. 120- (canceled)21. A computer-implemented method within client and separate from a data leakage protection hardware system and a cloud application , comprising:transmitting, by the client, a communication to the cloud application; andreceiving, from the data leakage protection hardware system and by the client, a revised response, whereinthe data leakage protection hardware system selects, from a plurality of monitoring templates and based upon the communication, a monitoring template corresponding to the cloud application,the monitoring template is used to generate a template, anda response by the cloud application and to the communication is revised to include the monitor and forms the revised response.22. The method of claim 21 , whereinthe monitor includes monitor codes configured to record input of shared content into a predetermined field within the response.23. The method of claim 22 , whereinthe monitor code is configured to be loaded by the client before codes contained in the received response.24. The method of claims 22 , whereinthe monitor codes are configured to perform an action based upon a specified event.25. The method of claim 24 , whereinthe specified event is an initiation of an operation to communicate the shared content.26. The method of claim 24 , wherein encrypting a sharing file,', 'adding a watermark to the sharing file, and', 'canceling an operation associated with the specified ...

Estimating multiple distinct-flow counts in parallel

A network switch includes circuitry, multiple ports and multiple hardware-implemented distinct-flow counters. The multiple ports are configured to receive packets from a communication network. Each of the multiple hardware-implemented distinct-flow counters is configured to receive (i) a respective count definition specifying one or more packet-header fields and (ii) a respective subset of the received packets, and to estimate a respective number of distinct flows that are present in the subset, by evaluating, over the packets in the subset, a number of distinct values in the packet-header fields belonging to the count definition. The circuitry is configured to provide each of the distinct-flow counters with the respective subset of the received packets, including providing a given packet to a plurality of the distinct-flow counters, and to identify an event-of-interest based on numbers of distinct flows estimated by the distinct-flow counters.

Intelligent RAN Flow Management and Distributed Policy Enforcement

A system is disclosed for providing configurable flow management, comprising: a first base station coupled to a user device and with an established control connection with the user device; and a coordinating node coupled to the first base station and coupled to a core network, thereby providing a gateway for the first base station and the user device to the core network, the core network further comprising a policy and charging rules function (PCRF) node with a database of policy rules, wherein the coordinating node is configured to retrieve policy rules from the PCRF node, to enable enforcement of retrieved policy rules on flows from the user device passing through the coordinating node, and to transmit policy rules to the first base station for enforcement at the first base station. 1. A system for providing configurable flow management , comprising:a first base station coupled to a user device and with an established control connection with the user device; anda coordinating node coupled to the first base station and coupled to a core network, thereby providing a gateway for the first base station and the user device to the core network, the core network further comprising a policy and charging rules function (PCRF) node with a database of policy rules,wherein the coordinating node is configured to retrieve policy rules from the PCRF node, to enable enforcement of retrieved policy rules on flows from the user device passing through the coordinating node, and to transmit policy rules to the first base station for enforcement at the first base station.2. The system of claim 1 , wherein the first base station is capable of at least one of a 2G air interface claim 1 , a 3G air interface claim 1 , or a 4G air interface.3. The system of claim 1 , wherein the PCRF node is located at a 4G long term evolution (LTE) packet data network gateway (P-GW).4. The system of claim 1 , wherein enforcement is performed at the first base station and wherein the first base station ...

METHODS AND SYSTEM FOR PACKET CONTROL AND INSPECTION IN CONTAINERS AND MESHED ENVIRONMENTS

An instantiated application includes both a runtime instantiation of an application image, and an administrative service operable to install in the instantiated application at least one security module during runtime of the instantiated application in a container. Prior to runtime, a design time agent can access the application image in a repository, examine the application image, and based on the examining, adding at least one security module to the application image prior to instantiation. During runtime, a runtime agent can query parameters of the container, such as static and dynamic variables available on the machine on which the container is running. The runtime agent processes these parameters in conjunction with predefined rules to determine an action such as starting, stopping, adding, and/or changing the security module, such as the method of packet inspection. 1. A system for securing a container , the system comprising: (i) a runtime instantiation of an application image, and', '(ii) an administrative service having administrator access to said instantiated application, said administrative service operable to install in said instantiated application at least one security module during runtime of said instantiated application in the container., '(a) an instantiated application including2. The system of wherein said administrative service is further operable to execute upon instantiation of said instantiated application.3. The system of wherein said administrative service is further operable to terminate execution of one or more security modules.4. The system of wherein said administrative service is operable to install in said instantiated application a plurality of security modules claim 1 , said plurality of security modules defending a same security vector claim 1 , said plurality of security modules each of different technical structure claim 1 , where each technical structure is optimized for specific circumstances of running said instantiated ...

Data plane interface network quality of service in multi-tenant data centers

Methods, apparatus, and systems for data plane interface network Quality of Service (QoS) in multi-tenant data centers. Data plane operations including packet generation and encapsulation are performed in software running in virtual machines (VMs) or containers hosted by a compute platform. Control plane operations, including QoS traffic classification, are implemented in hardware by a network controller. Work submission and work completion queues are implemented in software for each VM or container. Work elements (WEs) defining work to be completed by the network controller are generated by software and processed by the network controller to classify packets associated with the WEs into QoS traffic classes, wherein packets belonging to a give traffic flow are classified to the same QoS traffic class. The network controller is also configured to perform scheduling of packet egress as a function of the packet's QoS traffic classifications, to transmit packets that are scheduled for egress onto the network, and to DMA indicia to the work completion queues to indicate the work associated with WEs has been completed.

MANAGING LARGE VOLUMES OF EVENT DATA RECORDS

A network device that operates as an analysis platform for analysis of event data records that can provide a flexible approach to event data record aggregation. For example, aggregation can be flexibly turned on or off and dynamically adjusted based on event record volume and other factors such as network capacity or throughput. Devices that are instructed to aggregate records can also be instructed to archive the raw records, e.g., to maintain a full fidelity log of events. Devices can further be instructed to utilize a mixed queue approach to determine an order to deliver those records that includes both older records and newer records. 1. A device , comprising:a processor; anda memory that stores executable instructions that, when executed by the processor, facilitate performance of operations, comprising:determining that an event storm has occurred in response to a volume of raw event records generated by a group of network devices being determined to have exceeded a defined threshold at a defined time;instructing a network device of the group of network devices to generate aggregated event records representative of an aggregation of the raw event records generated after the defined time;instructing the network device to transmit the aggregated event records according to a mixed ordering protocol comprising:transmitting a first portion of the aggregated event records according to a first-in-first-out protocol that populates the first portion with first members of the aggregated event records that were generated nearest to the defined time; andtransmitting a second portion of the aggregated event records according to a last-in-first-out protocol that populates the second portion with second members of the aggregated event records that were generated nearest to a current time.2. The device of claim 1 , wherein the mixed ordering protocol comprises a configurable ratio representative of a first number of records of the first portion to a second number of records of ...

PREDICTING COMPUTER NETWORK EQUIPMENT FAILURE

A network monitor may receive network log events and identify: a first set of network devices that have reported a target network log event, a second set of network devices that have not reported the target network log event, a first set of network log events reported by the first set of network devices, and a second set of network log events reported by the second set of network devices. The network monitor may determine which network log events are legitimate, and filter the legitimate network log events from the first set of network log events or the second set of network log events to produce a group of suspicious network log events that may be correlated with the target network log event. The network monitor may predict future suspicious network log events that may be correlated with the target network log event in order to predict equipment failures. 1. A computer-implemented method comprising:producing a first group of suspicious network log events that may be correlated with a target network log event, wherein the first group of suspicious network log events corresponds to a first product family;identifying a second group of suspicious network log events that may be correlated with the target network log event, wherein the second group of suspicious network log events corresponds to a second product family; andanalyzing the first group of suspicious network log events and the second group of suspicious network log events to identify a pattern relating to the target network log event across the first product family and the second product family.2. The method of claim 1 , wherein analyzing the first group of suspicious network log events and the second group of suspicious network log events includes:analyzing network log events of the first group of suspicious network log events and the second group of suspicious network log events that occurred within a first amount of time before the target network log event or a second amount of time after the target ...

IMPLEMENTING FORWARDING BEHAVIOR BASED ON COMMUNICATION ACTIVITY BETWEEN A CONTROLLER AND A NETWORK DEVICE

In an example, a method is disclosed for implementing forwarding behavior based on communication activity between an SDN controller and a network device. The method includes generating, for the network device, a first flow table rule to implement first forwarding behavior for a network flow if communication to the SDN controller is active. The first flow table rule comprises match criteria for matching to the network flow, a first timeout value, and a first priority value. The method also includes generating, for the network device, a second flow table rule to implement second forwarding behavior for the network flow if communication to the SDN controller is not active. The second flow table rule comprises match criteria for matching to the network flow, a second timeout value, and a second priority value. The method further includes instructing the network device to implement the first and second flow table rules. 1. A method , comprising , by a processor of a Software Defined Network (SDN) controller:generating, for a network device, a first flow table rule to implement first forwarding behavior for a network flow if communication to the SDN controller is active, the first flow table rule comprising match criteria for matching to the network flow, a first timeout value, and a first priority value;generating, for the network device, a second flow table rule to implement second forwarding behavior for the network flow if communication to the SDN controller is not active, the second flow table rule comprising match criteria for matching to the network flow, a second timeout value, and a second priority value; andinstructing the network device to implement the first and second flow table rules.2. The method of claim 1 , wherein the first timeout value is shorter than the second timeout value.3. The method of claim 2 , further comprising periodically refreshing the first flow table rule at an interval shorter than the first timeout value.4. The method of claim 3 , ...

DATA REDUCTION TECHNIQUES FOR A MULTI-SENSOR INTERNET OF THINGS ENVIRONMENT

Data reduction techniques are provided for a multi-sensor IoT environment. An exemplary method comprises: dynamically determining, by a device within a distributed network comprised of a plurality of sensors, an amount of sensor data to be collected by and/or transmitted by a sensor within the distributed network based on at least one predefined spatial-based rule and/or at least one predefined temporal-based rule; and processing the sensor data based on the dynamically determined amount of sensor data. A percentage of the plurality of sensors within the distributed network that collect and/or transmit the sensor data can optionally be specified. One or more sensors optionally collect the sensor data at a default resolution and a predefined spatial-based rule and/or a predefined temporal-based rule specifies a predefined trigger for at least one sensor to collect and/or transmit the sensor data at a higher resolution. 1. A method , comprising:dynamically determining, by at least one processing device within a distributed network comprised of a plurality of sensors, an amount of sensor data to be one or more of collected by and transmitted by at least one of the plurality of sensors within the distributed network based on one or more of at least one predefined spatial-based rule and at least one predefined temporal-based rule; andprocessing, by the at least one processing device, the sensor data based on the dynamically determined amount of sensor data.2. The method of claim 1 , wherein the sensors within the distributed network are identified based on one or more of a direct transmission radius between the sensors claim 1 , a radius between the sensors claim 1 , and one or more of a trajectory and location of the sensors.3. The method of claim 1 , wherein one or more of the at least one predefined spatial-based rule and the at least one predefined temporal-based rule specify a percentage of the plurality of sensors within the distributed network that one or more of ...

Packet batching identification

The present disclosure provides a method, apparatus, and system for identifying packet batching within computer networks. A method consistent with the present disclosure includes sending a probe train of packets to traverse a network path within a computer network. Next, identifying a contiguous set of packets that traversed the network path with a negative DIAD time. Further, classifying the contiguous set of packets as a packet batch when a packet that traversed the network path right before the contiguous set of packets traversed the network path has a positive DIAD time. In addition, a size of a next probe train of packets that are to be sent to traverse the network path can be adjusted based on the size of the contiguous set of packets. Accurately identifying packet batching can enable more precise computer network bandwidth estimation and network traffic engineering solutions.

DEVICE AND METHOD FOR CONNECTING A PRODUCTION DEVICE TO A NETWORK

An apparatus for connecting a data-processing and/or data-generating production apparatus with a network includes a first network interface to be connected with the network, a second network interface to be connected with the production apparatus, and a program code stored in the memory for execution by the at least one processor. The program code comprises program code upon whose execution data packets received at the second network interface via a second protocol are forwarded to the first network interface, and/or upon whose execution data packets received at the first network interface via a first protocol are forwarded to the second network interface and there are sent via a second protocol to the production apparatus. The program code comprises program code upon whose execution the at least one processor applies a packet filter to the data packets on the way between the network interfaces. 116.-. (canceled)17. An apparatus for connecting a data-processing and/or data-generating production apparatus with a network , preferably with a data processing device , for example a server , via the network , comprisinga memory,at least one processor with the memory, which processor can access the memory in reading and writing manner,a first network interface to be connected with the network,a second network interface to be connected with the production apparatus,a computer program's program code stored in the memory for execution by the at least one processor,wherein the program code comprises program code upon whose execution data packets received at the second network interface via a second protocol are forwarded to the first network interface and there are sent via a first protocol into the network, in particular to the data processing apparatus, for example the server, and/orupon whose execution data packets received at the first network interface via a first protocol are forwarded to the second network interface and there are sent via a second protocol to the ...

PERFORMANCE MEASUREMENT IN A PACKET-SWITCHED COMMUNICATION NETWORK

A method for performing a performance measurement in a communication network. Each measurement point in the network identifies packets of a multipoint packet flow and selects therefrom a number of samples, based on the value of a sampling signature calculated by applying a hash function to a bit mask in each identified packet. For each sample, a performance parameter and the packet's content are provided to a management server. The management server identifies a cluster of measurement points such that each identified packet of the multipoint packet flow received by a cluster's input measurement point is also received at a cluster's output measurement point. Amongst the performance parameters provided by the cluster's measurement points, the performance parameters relating to samples belonging to a certain packet sub-flow are identified, based on the packet's content. Then, a performance measurement is performed on the packet sub-flow. 1. A method for performing a performance measurement in a communication network) , said method comprising , at each measurement point (MPk) of a number of measurement points implemented in said communication network:a) identifying packets of a multipoint packet flow;b) amongst said identified packets of said multipoint packet flow, selecting a number of sample packets, said selecting being based on the value of a sampling signature calculated by applying a hash function to a predetermined mask of bits in each identified packet;c) for each sample packet, providing to a management server a sample performance parameter and at least a portion of the packet's content;said method further comprising, at said management server:{'b': '0', 'd) amongst said number of measurement points, identifying a cluster of measurement points wherein, if no packet loss occurs, each identified packet of said multipoint packet flow received by an input measurement point (MP) of said cluster is also received at an output measurement point of said cluster;'}e) ...

Detecting sources of computer network failures

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting sources of computer network failures. One of the methods includes identifying a network flow in a computer network between a source and a destination; performing a first probe to determine whether there is end-to-end connectivity between the source and the destination; in response to determining that there is no end-to-end connectivity between the host and the destination, performing one or more additional probes including a second probe to determine whether each hop in the path of the network flow between the source and the destination is operational including requesting that the source transmit a respective first trace diagnostic packet to each hop in the path of the network flow; and determining whether at least one link of the computer network that is part of the path of the network flow has failed based on the results.

METHOD FOR MEASURING A TRANSMISSION DELAY WITH CONTROL OF DEGREES OF CONTENTION APPLIED TO A DATA FRAME

The invention relates to a method for transmitting a target data frame (fA) on a path comprising at least one router (R) that has input ports (P, P, P), at least one output port (PS) and an arbitration unit (UA) configured so as to select a data frame from a plurality of data frames each coming from a different input port and competing for transmission by one and the same output port. The method comprises specifying, for each of the access ports of the router, data frames (fB, fC) competing with the target data frame for transmission by a target output port of the router. An end-to-end transmission time of the target data frame on the path is then measured while the arbitration unit selects the competing data frame (fB) before the target data frame (fA) for transmission by the target output port (PS). 1123. A method for transmitting data frames each on a path comprising at least one router (R) which includes input ports (P , P , P) , at least one output port (PS) and an arbitration unit (UA) configured to select a data frame from a plurality of data frames each coming from an input port and competing for transmission through a same output port , the method comprising the following steps of:{'sub': A', 'B', 'C, 'a) for each router in the path of a target data frame (f), specifying, for each of the input ports of the router, competing data frames (f, f) with the target data frame for transmission through a target output port of the router;'} [{'sub': A', 'B, 'b': '1', 'i) in the presence of the target data frame (f) on a router input port (P), selecting, by the arbitration unit, one or more competing data frames (f); and'}, {'b': 1', '2', '3, 'sub': 'B', 'ii) transmitting (#, #) through the target output port (PS) the one or more competing data frames (f) selected prior to transmitting (#) the target data frame.'}], 'b) transmitting the target data frame and the competing data frames and measuring an end-to-end transmission time of the target data frame on the path, ...

System and method for adaptive traffic path management

A system and method for adaptive traffic path management, the method including: receiving at least one packet associated with a traffic flow; determining whether the traffic flow is a roaming traffic flow; determining application parameters associated with the at least one packet; determining attributes correlated with the traffic flow associated with the at least one packet; analyzing the application parameters and attributes to determine a Network Address Translation (NAT) pool for the traffic flow; determining if a modified NAT is needed based on the NAT pool for the traffic flow; if a modified NAT is needed, modifying the NAT for the at least one packet associated with the traffic flow; and sending the at least one packet and the traffic flow associated with the at least one packet to a path associated with the modified NAT.

Method for processing received signal of mimo receiver

Disclosed herein is a received signal processing method including selecting a reference resource element (RE) from a resource block (RB) including a plurality of REs, generating a common filter to be shared among some or all of the plurality of REs of the RB based on channel information of the reference RE, selecting a first border RE, at which the number of repetitions of a compensation process of a primary signal generated using the common filter exceeds a threshold while progressing starting from the reference RE along any one of a time or frequency axis direction, and a second border RE, at which the number of repetition of the compensation process of the primary signal generated using the common filter exceeds the threshold while progressing starting from the first border RE along the other of the time or frequency axis direction, from the RB and forming an RE group sharing the common filter based on the first border RE and the second border RE.

SYSTEM FOR ORGANIZING AND FAST SEARCHING OF MASSIVE AMOUNTS OF DATA

A system to collect and store in a special data structure arranged for rapid searching massive amounts of data. Performance metric data is one example. The performance metric data is recorded in time-series measurements, converted into unicode, and arranged into a special data structure having one directory for every day which stores all the metric data collected that day. The data structure at the server where analysis is done has a subdirectory for every resource type. Each subdirectory contains text files of performance metric data values measured for attributes in a group of attributes to which said text file is dedicated. Each attribute has its own section and the performance metric data values are recorded in time series as unicode hex numbers as a comma delimited list. Analysis of the performance metric data is done using regular expressions. 1. A process comprising:running a probe process on a computer and periodically gathering numbers about performance parameters from multiple performance attributes of multiple resource types;sorting performance attribute numbers by day on which it was collected, and by resource type and by performance attribute;storing all the performance numbers gathered on one day in a top level directory, with all the performance numbers gathered from all resources of a particular category of resource in one text file in a separate subdirectory dedicated to the resource category, and all the performance numbers gathered about other resources in another category in another text file in a separate subdirectory devoted to the another category, until all performance numbers about all categories of resources are gathered in several text files in several subdirectories; andand wherein in each text file all performance numbers regarding a particular resource type in the resource category to which the text file is devoted are stored in one row of the file in a comma delimited list, the assortment of all rows containing the performance numbers ...

METHODS AND ARRANGEMENTS FOR CHANNEL ESTIMATION

Some embodiments provide a method for channel estimation in a wireless device. According to the method, the wireless device obtains () an indication that a set of antenna ports, or antenna port types, share at least one channel property. The wireless device then estimates () one or more of the shared channel properties based at least on a first reference signal received from a first antenna port included in the set, or having a type corresponding to one of the types in the set. Furthermore, the wireless device performs () channel estimation based on a second reference signal received from a second antenna port included in the set, or having a type corresponding to one of the types in the set, wherein the channel estimation is performed using at least the estimated channel properties. 121-. (canceled)22. A method for channel estimation in a wireless device , the method comprising:determining a set of antenna ports, or antenna port types, which share at least one channel property;estimating one or more of the shared channel property or properties based at least on a first reference signal received from a first antenna port included in the set, or having a type corresponding to one of the types in the set; andperforming channel estimation based on a second reference signal received from a second antenna port included in the set, or having a type corresponding to one of the types in the set,wherein the channel estimation based on the second reference signal is performed using at least the estimated one or more of the shared channel property or properties.23. The method of claim 22 , wherein the estimation of one or more of the shared channel properties is performed jointly claim 22 , based on the first reference signal and the second reference signal.24. The method of claim 22 , wherein the step of performing channel estimation comprises:generating an estimation filter based on the estimated channel properties; andapplying the estimation filter to the second reference ...

Performance monitoring of system version releases

A system and method for comparative performance monitoring of software release versions is disclosed. A remote network management platform may include a computational instance for managing a network. Transactions between a server of the computational instance and a client device in the managed network may be logged to a database. Transactions may be carried out by a release version of a set of program code units executing on the server. A software application executing on a computing device may retrieve and analyze a first set of transactions carried out by a first release version of the set of program code units to determine a first set of performance metrics, and do the same for a second set of transactions carried out by a second release version of the set of program code units to determine a second set of performance metrics. A classification filter may be applied to the metrics, and a quantitative comparison of the filtered first and second sets of performance metrics may be displayed on graphical user device.

APPARATUSES, METHODS AND COMPUTER PROGRAMS FOR A BASE STATION TRANSCEIVER AND FOR A MOBILE TRANSCEIVER

The control module () of the apparatus is operable to relay data packets of the data service between the mobile transceiver () and the data server (). The control module () is further operable to determine a control data packet for the data service between the data server () and the mobile transceiver (). The control data packet is intended to maintain a connection established between the data server () and the mobile transceiver (). The control module () is further operable to provide a reply data packet for the control data packet to the data server () without relaying the control data packet to the mobile transceiver (), and/or generate and provide the control data packet to the data server (). 1. An apparatus operable in a base station transceiver of a mobile communication system , the apparatus comprisinga transceiver module operable to communicate with a mobile transceiver, the mobile transceiver using a data service provided by a data server;an interface operable to communicate with the data server providing the data service to the mobile transceiver; and control the transceiver module and the interface,', 'relay data packets of the data service between the mobile transceiver and the data server,', provide a reply data packet for the control data packet to the data server without relaying the control data packet to the mobile transceiver, and/or', 'generate and provide the control data packet to the data server without relaying the control data packet to the mobile transceiver., 'determine a control data packet for the data service between the data server and the mobile transceiver, the control data packet being intended to maintain a connection established between the data server and the mobile transceiver, and'}], 'a control module operable to2. The apparatus of claim 1 , wherein the control module is operable to determine the control data packet using packet inspection of the data packets transmitted from the data server to the mobile transceiver claim 1 , ...

Methods, systems, and computer readable media for generating and using a web page classification model

Methods, systems, and computer readable media for generating and using a web page classification model are disclosed. The method may include identifying a plurality of web pages for generating a web page classification model, assigning a label to each of the plurality of web pages, accessing Transmission Control Protocol/Internet Protocol (TCP/IP) traffic traces associated with downloading content from each of the plurality of web pages, processing TCP/IP headers from the TCP/IP traffic traces to identify and extract features that discriminate between the labels, that are uncorrelated and whose discriminatory accuracy remains stable across time and/or browser platform. The method may further include generating a web page classification model by training a trainer to learn a combination of the features that accurately discriminates between the labels. The model is usable to classify unlabeled web pages by applying the model to TCP/IP traffic traces used to access the unlabeled web pages.

Method and system for network monitoring using signature packets

A method of monitoring a network with a test device connected to the network includes monitoring a plurality of packets which pass through the test device, comparing a predefined field of each of the plurality of packets to a predefined pattern so as to identify signature packets, evaluating whether the signature packets satisfy a predefined condition, and, if the predefined condition is satisfied, sending a notification to a user. A system implementing the method is provided.

Method for packet data convergence protocol count synchronization

Aspects of the present disclosure provide mechanisms for count synchronization in a wireless communication network. A respective count value may be maintained for each packet transmitted over a wireless connection, where each count value includes a respective hyper frame number and a respective sequence number. To synchronize a current count value associated with a current packet, a count synchronization may be initiated to transmit at least a current hyper frame number of the current count value over the wireless connection.

CROWD-SOURCED CLOUD COMPUTING RESOURCE VALIDATION

Resource provider specifications, characterizing computing resources of computing resource providers, are received. The reachability of each IP address included in the received specification is determined. An agent is deployed that is operable to determine the value of each of a set of metrics in the environment of the host at which the agent is deployed. The agent determines the value of each metric of the set of metrics in the environment of the relevant host, and communicates the determined values to one or more computing devices that validate whether the resources characterized by the communicated values are sufficient to provide the performance characterized by the received specification and that each ISP router complies with a predetermined policy. For each computing resource provider validated and determined to comprise an ISP router compliant with policy, the specified computing resources are added to a pool of resources for cloud computing. 1. A method , comprising: wherein each received specification characterizes computing resources of one of a plurality of computing resource providers, the computing resources having been registered for participation in a cloud computing service, the computing resources comprising at least one host and one Internet Service Provider (ISP) router, and', 'wherein each received specification comprises one or more values for each of a plurality of resource specification parameters including an Internet Protocol (IP) address for each specified host and for each specified Internet Service Provider (ISP) router;, 'receiving, by one or more computing devices, a plurality of resource provider specificationsdetermining, by the one or more computing devices for each received specification, the reachability of each IP address included in the received specification;deploying, by the one or more computing devices and at each host determined to be reachable, an agent operable to determine a value of each of a set of metrics in an ...

DATA ACQUISITION DEVICE, DATA ACQUISITION METHOD AND STORAGE MEDIUM

A non-transitory computer-readable storage medium having stored therein a program, the program executing a process include storing an object that is a unit obtained by sectioning received data by a certain size, the object including a plurality of sessions; calculating a value related to an acquisition time for each of a plurality of data acquisition methods that include a first method that acquires the data in a unit of the session and a second method that acquires the data in a unit of the object; determining the data acquisition method based on the value related to the calculated acquisition time; performing the data acquisition with the determined data acquisition method; periodically acquiring the data with the data acquisition method other than the determined data acquisition method; updating the value related to the acquisition time; and determining the data acquisition method based on the value related to the acquisition time. 1. A non-transitory computer-readable storage medium having stored therein a program for acquiring data , the program causing a computer to execute a process comprising:storing an object that is a unit obtained by sectioning received data by a certain size, the object including a plurality of sessions;calculating a value related to an acquisition time for each of a plurality of data acquisition methods that include a first method that acquires the data in a unit of the session and a second method that acquires the data in a unit of the object;determining the data acquisition method based on the value related to the calculated acquisition time;performing the data acquisition with the determined data acquisition method;periodically acquiring the data with the data acquisition method other than the determined data acquisition method;updating the value related to the acquisition time; anddetermining the data acquisition method based on the value related to the acquisition time.2. The storage medium according to claim 1 , wherein the ...

NETWORKS FOR PACKET MONITORING AND REPLAY

Disclosed herein are a system, non-transitory computer readable medium, and method for monitoring and replaying packets. A network tap forwards packets from a first network to a second network. At least one node in the first network has the same IP address as a node in the second network. The packets are replayed in the second network. 1. An apparatus comprising:a network interface; establish communication with a network terminal access point (TAP) of a first network, each node of the first network having an internet protocol (IP) address;', 'establish communication with at least one node of a second network, at least one node in the second network corresponding to a node in the first network such that respective IP addresses of corresponding nodes are equal;', 'receive a first packet and a second packet from the network TAP of the first network, each packet comprising a source IP address and a timestamp, the source IP address indicating a respective node in the first network from where each packet originates; and', 'launch the first packet and the second packet from a respective node in the second network that corresponds to the source IP address of each packet in a sequence that is in accordance with the timestamp of each packet., 'at least one processor to2. The apparatus of claim 1 , wherein the at least one processor is further configured to store the first packet and the second packet in a database.3. The apparatus of claim 2 , wherein the at least one processor is further configured to sort the first packet and the second packet in the database by timestamp.4. The apparatus of claim 2 , wherein the at least one processor is further configured to retrieve the first packet and the second packet from the database to launch the first packet and the second packet.5. The apparatus of claim 1 , wherein the network tap is an optical fiber network tap.6. The apparatus of claim 1 , wherein an internal clock of a node in the first network is synchronized with an ...

PERFORMANCE MEASUREMENT IN A PACKET-SWITCHED COMMUNICATION NETWORK

A method for performance measurement in packet switched communication networks. The method includes generating a flow of artificial packets, which is then aggregated to the packet flow to be measured by an aggregator. The artificial packets are configured to follow the packet flow to be measured, starting from the point where aggregation is performed. Two measurement points are then provided after the aggregator, which provide respective raw performance measurements indicative of actual positions of the artificial packets in the aggregated packet flow. The raw performance measurements are then used for providing the performance measurements. Since all the raw performance measurements are generated after the aggregator, the measurement results are accurate without need to precisely insert the artificial packets at predetermined positions of the packet flow to be measured. 115-. (canceled)16: A method for performing a performance measurement on a packet flow transmitted along a path through a packet switched communication network , the method comprising:a) generating a flow of artificial packets;b) aggregating the flow of artificial packets with the packet flow at a node of the communication network located along the path, to provide an aggregated packet flow which is transmitted along at least a length of the path starting from the node;c) at a first measurement point located along the length of the path, providing a first raw performance measurement indicative of actual positions of the artificial packets in the aggregated packet flow;d) at a second measurement point located along the length of the path, providing a second raw performance measurement indicative of actual positions of the artificial packets in the aggregated packet flow; ande) performing a performance measurement of the packet flow using the first and second raw performance measurements.17: The method according to claim 16 , wherein a) comprises configuring the artificial packets so that they are ...

SOURCE-DRIVEN SWITCH PROBING WITH FEEDBACK REQUEST

Embodiments relate to proactively probing the packet queues of elements in a physical or virtual network to predict and prevent the occurrence of congestion points. An aspect includes receiving a first feedback request at a central controller connected to a plurality of switches in a network. The first feedback request includes a request to periodically probe a status of queues of switches in the network. A second feedback request is then transmitted to one or all the switches in a path leading to a designated destination. Responses to the second feedback request are received at the central controller from a designated proxy switch, which aggregated the responses into a single data packet. Accordingly, the responses extracted from the single data packet at the central controller are used to preventing future congestion points. 1. A computer-implemented method , comprising:receiving a first feedback request at a central controller connected to a plurality of switches in a network, the first feedback request including a request to periodically probe a status of queues of switches in the network;transmitting a second feedback request to one or all the switches in a path leading to a designated destination;receiving responses to the second feedback request from a designated proxy switch, the previously designated proxy switch having aggregated the responses into a single data packet;extracting the responses from the single data packet at the central controller; andpreventing congestion points based on the extracted responses.2. The computer-implemented method of claim 1 , wherein the preventing further comprises a selected of reporting statistics to a feedback requester claim 1 , rerouting packet traffic claim 1 , and adjusting source injection rates.3. The computer-implemented method of claim 1 , wherein the plurality of switches in the network comprises a selected one of a quantized congestion notification (QCN)-compliant switch and an OpenFlow-compliant switch.4. The ...

MODULAR ARRANGEMENT DECISION DEVICE, MODULAR ARRANGEMENT DECISION SYSTEM, AND MODULAR ARRANGEMENT DECISION METHOD

A modular arrangement decision device includes a storing unit and selecting units. Network information of a network connected to nodes and an identifier for identifying a module to be arranged in a node are stored in the storing unit. The first selecting unit selects a predetermined number of pieces of information with a higher degree of evaluation from among first information indicating a node in which the module is to be arranged among the multiple nodes, and second information obtained by changing the first information. The second selecting unit selects a predetermined number of pieces of information with a smaller number of unmatched conditions, from the information selected by the first selecting unit and third information obtained by changing the information selected by the first selecting unit. The third selecting unit selects information in which an evaluation value and a number of unmatched conditions satisfy a predetermined criteria. 1. A modular arrangement decision device comprising:a storing unit that stores therein network information indicating a network to which multiple nodes each of which sends a detected event or relays the event are connected and that stores therein an identifier for identifying a module that performs a process on the event;a first selecting unit that selects a predetermined number of pieces of information with a higher degree of evaluation from among pieces of first information and pieces of second information, on a basis of an evaluation value that indicates a degree of evaluation of the pieces of the first information and the pieces of the second information, the first information indicating a node in which the module is to be arranged among the multiple nodes, and the second information being obtained by changing the node in which the module is to be arranged from the first information;a second selecting unit that selects a predetermined number of pieces of information with a smaller number of unmatched conditions among a ...

FRAME ANALYSIS - A NEW WAY TO ANALYZE SERIAL AND OTHER PACKETIZED DATA

An aspect of the invention includes a machine. The machine can receive data and determine a logical subdivision of the data. The machine can then identify frames within the data, based on the logical subdivision of the data. The machine can then display the frames to the user for visual comparison. 1. A system , comprising:a machine;an input port on the machine to receive data;a logical subdivision determiner to identify a logical subdivision of said data;a frame identifier to identify a first frame and a second frame in said data, said first frame and said second frame each including one unit of said logical subdivision of said data and said first frame and said second frame do not overlap; anda monitor to permit a user to visually compare said first frame with said second frame.2. A system according to claim 1 , wherein said first frame is imported from a second machine.3. A system according to claim 1 , wherein:said logical subdivision includes a packet; andthe system further includes a filter to filter said data based on at least one of header information and data content in packets in said data.4. A system according to claim 1 , wherein:said logical subdivision includes a video frame; andthe system further includes a filter to filter said data based on at least one of line numbers and video content in video frames in said data.5. A system according to claim 1 , wherein:said logical subdivision includes a waveform, the waveform based on at least one of a number of cycles, a specified time duration, and a pulse including specific characteristics; andthe system further includes a filter to filter said data based on a waveform characteristic.6. A system according to claim 5 , wherein the waveform used to identify the logical subdivision of the data is received from an alternate claim 5 , secondary signal.7. A system according to claim 1 , the system further includes a filter to identify said second frame as being within a threshold of difference from said first ...

Method, apparatus and system for marking service data packet

A method, an apparatus and a system for marking a service data packet are provided. A traffic detection function TDF is requested to detect a data flow description or data flow starting or ending information corresponding to a service application type. The detected data flow description or a data flow starting or ending information report, transmitted by the TDF, is received. A data packet marking rule is generated according to the data flow description or the data flow starting or ending information report. A session modification message carrying the data packet marking rule is transmitted to a bearer binding function entity BBF for the BBF to map a data flow identified by the session modification message to a bearer according to the session modification message, and mark a GTP-U header according to the data packet marking rule.

DATA FLOW FORWARDING ABNORMALITY DETECTION METHOD AND SYSTEM, AND CONTROLLER

The present disclosure relates to a data flow forwarding abnormality detection method. In one example method, a switching device through which a to-be-detected data flow passes is determined by a controller. At least one flow entry in the switching device that matches the to-be-detected data flow is obtained. The at least one flow entry comprises actual traffic and a match field. The actual traffic is a value of a counter corresponding to the match field. An overdetermined equation set is established based on the actual traffic and theoretical traffic of a data flow in the switching device that matches the match field. Based on the overdetermined equation set, a determination is made on whether the at least one flow entry is abnormal. 1. A method , comprising:determining, by a controller, a switching device through which a to-be-detected data flow passes;obtaining at least one flow entry in the switching device that matches the to-be-detected data flow, wherein the at least one flow entry comprises actual traffic and a match field, and the actual traffic is a value of a counter corresponding to the match field;establishing an overdetermined equation set based on the actual traffic and theoretical traffic of a data flow in the switching device that matches the match field, wherein the theoretical traffic forms an unknown number vector of the overdetermined equation set, and the actual traffic forms a constant term vector of the overdetermined equation set; anddetermining, based on the overdetermined equation set, whether the at least one flow entry is abnormal.2. The method according to claim 1 , wherein the determining claim 1 , based on the overdetermined equation set claim 1 , whether the at least one flow entry is abnormal comprises:substituting a least square solution of the overdetermined equation set into an unknown number vector side of the overdetermined equation set, to obtain an updated constant term vector;obtaining a square error norm based on the ...

BEHAVIORAL BASED DEVICE CLUSTERING

One or more embodiments are directed behavioral based device clustering. A network traffic log of devices in the network is received. Features of devices are extracted from the network traffic log and aggregated into an aggregated feature matrix on a per device basis. By applying a topic modeling algorithm to the aggregated feature matrix, the devices are clustered into device groups according to behavior groups. A device is assigned to the device group to create an assignment. 1. A method comprising:receiving, via a network connection with a plurality of devices, a log including network traffic of the plurality of devices in a network;extracting, from the log, a plurality of features of the plurality of devices;aggregating, per device of the plurality of devices, the plurality of features into an aggregated feature matrix for the plurality of devices, wherein the aggregated feature matrix comprises a plurality of entries, each entry of the plurality of entries including, for particular feature and a particular device, a value based on a respective plurality of events having the particular feature for the particular device;clustering, by applying a topic modeling algorithm to the aggregated feature matrix, the plurality of devices into a plurality of device groups according to one or more behavior groups of the plurality of device groups; andassigning one or more devices of the plurality of devices on the network to one of the plurality of device groups to obtain an assignment.2. The method of claim 1 , further comprising:updating the assignment of the one or more devices of the plurality of devices to the one of the plurality of device groups when the log is updated.3. (canceled)4. The method of claim 1 , wherein clustering the plurality of devices comprises:selecting a traffic behavior subset of the aggregated feature matrix corresponding to traffic behavior;applying the topic modeling algorithm to the traffic behavior subset to obtain a plurality of traffic ...

AREA EFFICIENT TRAFFIC GENERATOR

A packet and inspection system for monitoring the performance of one or more flows on a packet network comprises a processor and memory coupled to each other and to a network bus. The memory stores instructions to be executed by the processor and data to be modified by the execution of the instructions. A processor-controlled arbiter is coupled with the processor and the network bus, and upon reception of a packet on the bus or prior to transmission of a packet on the bus for one of said flows, the arbiter requests execution by the processor of selected instructions stored in the memory by providing the processor with the address of the selected instructions in the memory. The memory provides the processor with data associated with the selected instructions, and the processor modifies the data upon execution of the selected instructions. 1. A system to monitor the performance of one or more flows on a packet network , said system comprising:a distributed memory comprising a plurality of programmable instructions and related data;a processor coupled with said memory to execute one or more of said programmable instructions upon reception of a packet from one of said flow and to modify said related data;wherein said programmable instructions and related data can be modified without requiring a new load on the system in order to change the behavior.2. The system of in which said processor is implemented as a field programmable gate array (FPGA).3. A method to monitor the performance at a network device coupled to one or more flows in a packet network claim 1 , said method comprising:storing, in a distributed memory, a plurality of programmable instructions and related data;executing, by a processor coupled to said memory, one or more of said programmable instructions upon reception of a packet from one of said flow and to modify said related data; andmodifying said programmable instructions and related data without requiring a new load on the system in order to change ...

CYBERSECURITY SYSTEM

A computing device determines a peer group identifier and supplements netflow records with the peer group identifier. An authentication event block object is received that was sent to a first source window. The authentication event block object includes a user identifier, an IP address, and a peer group identifier. Members of the peer group are identified based on an expected network activity behavior. The user identifier and the peer group identifier are stored in association with the IP address in a cache. A netflow event block object sent to the first source window is received that includes a netflow packet IP address. Netflow data is parsed from the netflow event block object into a netflow record. When the stored IP address matches the netflow packet IP address, the netflow record is supplemented with the user identifier and the peer group identifier. The supplemented netflow record is output to summary data. 1. A non-transitory computer-readable medium having stored thereon computer-readable instructions that when executed by a processor cause a first computing device to:receive an authentication event block object sent to a first source window, wherein the authentication event block object includes a user identifier, an Internet protocol (IP) address associated with the user identifier, and a peer group identifier associated with the user identifier, wherein the user identifier identifies a user of a second computing device being monitored by the first computing device, wherein the peer group identifier identifies a peer group to which the user is assigned, wherein members of the peer group are identified based on an expected network activity behavior;store the user identifier and the associated peer group identifier in association with the IP address in a cache;receive a netflow event block object sent to the first source window, wherein the netflow event block object includes a netflow packet IP address;parse netflow data from the received netflow event ...

Computer Network Service Providing System Including Self Adjusting Volume Enforcement Functionality

A Computer Network Service Providing System including Self Adjusting Volume enforcement functionality and methods for diminishing or minimizing volume leakage. 1. A computerized system for computer network volume-quota enforcement based on dual-frequency volume-utilization monitoring and operative in conjunction with a service stopper operative for stopping service to a subscriber if his computer network volume-quota has been exceeded , the system comprising:a) a utilization monitor operative to monitor at least one subscriber for volume utilization and to provide updates accordingly to the stopper; andb) a dual-frequency monitoring controller operative to cause monitoring to occur at a first frequency when the subscriber is about to exceed his quota and at a second frequency lower than the first frequency when the subscriber is far from exceeding his quota.2. The system according to further comprising:a) a service stopper operative for stopping service to a subscriber if his computer network volume-quota has been exceeded.3. The system according to wherein the dual-frequency monitoring controller causes the monitor to monitor infrequently except when an indication has become available indicating that the subscriber is about to exceed his quota.4. The system according to wherein claim 3 , the subscriber's quota is supplied to the subscriber by a quota manager in chunks and wherein the indication comprises an indication that a last chunk remaining in the subscriber's quota claim 3 , has been supplied to the subscriber.5. The system according to wherein the indication comprises an estimate of whether or not the subscriber is likely to finish his quota before a next update is provided to the stopper claim 3 , assuming the second lower frequency continues to be used.6. The system according to wherein the indication comprises an estimate of the period of time remaining until the subscriber finishes his quota.7. The system according to wherein the estimate is a worst case ...

Managing network connections based on their endpoints

The disclosure relates generally to methods, systems, and apparatuses for managing network connections. A system for managing network connections includes a storage component, a decoding component, a rule manager component, and a notification component. The storage component is configured to store a list of expected connections for a plurality of networked machines, wherein each connection in the list of expected connections defines a start point and an end point for the connection. The decoding component is configured to decode messages from the plurality of networked machines indicating one or more connections for a corresponding machine. The rule manager component is configured to identify an unexpected presence or absence of a connection on at least one of the plurality of network machines based on the list of expected connections. The notification component is configured to provide a notification or indication of the unexpected presence or absence.

Dual-port mirroring system for analyzing non-stationary data in a network

Distinct sets of non-stationary data seen on a switch in data communication with one or more of computerized units in a network, are mirrored via two switch ports, which include a first port and a second port. A dual analysis is performed while mirroring said distinct sets of data. First data obtained from data mirrored at the first port are analyzed (e.g., using a trained machine learning model) and, based on the first data analyzed, the switch is reconfigured for the second port to mirror second data, which are selected from non-stationary data as seen on the switch (e.g., data received and/or transmitted by the switch). The second data mirrored at the second port is analyzed (e.g., using a different analysis scheme, suited for the selected data).

Network information collection and analysis of a plurality of mobile networks

An approach for network information collection and analysis of a plurality of mobile networks is provided. The approach receives a first request message including a first threshold sent from an application server. The approach sends a second request message to at least one network function. The approach receives a congestion report from the at least one network function which monitors for a change in a congestion status related to a base station that is crossing a second threshold. The approach derives a network information by combining the congestion report. The approach sends the network information to the application server, the first threshold indicating a range of the network information at which the application server wishes to be informed of the network information.

System and method for emitter detection

A signal receiver includes receive circuitry. The signal receiver further includes a processor coupled to the receive circuitry and configured to receive, from a filter, a stream of samples including a first set of samples. A data rate of an input of the filter may correspond to a data rate of an output of the filter. The first set of samples includes multiple samples. The processor is further configured to perform a detection operation on the first set of samples. The processor is further configured to detect a signal emitter based on the detection operation.

SYSTEM AND METHOD FOR MANAGEMENT OF CLOUD-BASED SYSTEMS

System and method for reporting usage of a network infrastructure includes obtaining a map that includes at least one flow-mapping that correlates a flow feature with a service and that correlates a flow feature with an endpoint type, wherein the endpoint types include at least a subscriber type and a service type; at a first computer, receiving flow telemetry of a network infrastructure, the flow telemetry representing at least the destination and source attributes for network traffic in the flow telemetry; categorizing the flow telemetry into at least a subscriber flow category based on the source and destination endpoint types of the traffic; for subscriber flow telemetry of a subscriber, processing the subscriber flow telemetry into at least one flow feature; identifying at least one service to attribute to at least a portion of the subscriber flow telemetry, the service identified through the processed flow feature and a flow-mapping.

SYSTEM AND METHOD FOR CACHING POPULAR CONTENT RESPECTIVE OF A CONTENT STRONG SERVER IN AN ASYMMETRICAL ROUTING TOPOLOGY

A computerized method of delivering popular content of a service delivery apparatus (SDA) in an asymmetrical network topology. The method comprises receiving a first acquisition request for content from a user node (UN) over an upstream data link, the request comprising at least a content identification (CID). An instruction is sent to the UN to redirect content requests to the SDA. A second acquisition request is sent from the SDA to a content source (CS) for the content requested by the first acquisition request, upon determination that the downstream data link between the UN and the CS is inaccessible to the SDA, the request including at least the CID. The content is received by the SDA from the CS. The received content from the SDA is sent to the UN. 1. A computerized method of delivering popular content of a service delivery apparatus (SDA) in an asymmetrical network topology , the method comprising:receiving a first acquisition request for content from a user node (UN) over an upstream data link, the request comprising at least a content identification (CID);sending an instruction to the UN to redirect content requests to the SDA;sending a second acquisition request from the SDA to a content source (CS) for the content requested by the first acquisition request, upon determination that the downstream data link between the UN and the CS is inaccessible to the SDA, the request including at least the CID;receiving the content by the SDA from the CS; andsending the received content from the SDA to the UN.2. The computerized method of claim 1 , wherein the request for content from the user node further comprising: any of a content source (CS) and a session ID.3. The computerized method of claim 1 , further comprising:determining if the requested content needs to be acquired.4. The computerized method of claim 3 , further comprising:storing the content in a storage of the SDA upon determination that the content needs to be acquired.5. A service delivery apparatus ( ...

Inspection of Traffic via SDN

A method and related apparatus for performing inspection of flows within a software defined network includes identifying a security appliance within a software defined network, identifying candidate traffic flows flowing in the software defined network to be inspected, selecting one of the candidate traffic flows for security inspection, and communicating with a software defined network controller to cause the one of the candidate traffic flows to be redirected towards the security appliance for inspection or to cause the one of the candidate traffic flows to be copied and a resulting copy thereof forwarded to the security appliance for inspection. 1. A method comprising:identifying a security appliance within a software defined network;identifying candidate traffic flows flowing in the software defined network to be inspected;selecting one of the candidate traffic flows for security inspection; andcommunicating with a software defined network controller to cause the one of the candidate traffic flows to be redirected towards the security appliance for inspection or to cause the one of the candidate traffic flows to be copied and a resulting copy thereof forwarded to the security appliance for inspection.2. The method of claim 1 , further comprising claim 1 , before selecting one of the candidate flows for inspection claim 1 , determining whether the security appliance has sufficient capacity to inspect traffic within the software defined network.3. The method of claim 1 , wherein selecting one of the candidate traffic flows comprises selecting the one of the candidate traffic flows based on an application associated with the one of the candidate traffic flows.4. The method of claim 1 , wherein selecting one of the candidate traffic flows comprises selecting the one of the candidate traffic flows based on a user associated with the one of the candidate traffic flows.5. The method of claim 1 , wherein selecting one of the candidate traffic flows comprises selecting ...