532 results about "NetFlow" patented technology

An architecture for an integrated circuit apparatus and method that allows significant performance improvements for signature based network applications. In various embodiments the architecture allows high throughput classification of packets into network streams, packet reassembly of such streams, filtering and pre-processing of such streams, pattern matching on header and payload content of such streams, and action execution based upon rule-based policy for multiple network applications, simultaneously at wire speed. The present invention is improved over the prior art designs, in performance, flexibility and pattern database size.

A new network traffic data collection technique is presented. A group of information is received, and a determination is made whether to process the group of information for network data collection according to a sample mode and a sample rate. If the determination is to process the group of information, the group of information is processed for network data collection. The group of information is forwarded according to its destination address. The group of information can be an IP packet and the sample mode can be, for example, one of linear, exponential, natural log, burst and traffic attribute. To process the group of information, a determination is made whether the group of information is part of one or more recorded traffic flows. If not, a new entry in a table is created. If so, a field in an existing entry in the table is incremented. In addition, a traffic information packet is created and transmitted to a network traffic data collection application. The traffic information packet can consist of a header and one or more flow records.

Methods and apparatus for collection of Netflow data and export offload using network silicon. In accordance with aspects of the embodiments, the Netflow export and collection functions are offloaded to the network silicon in the chipset, System on a Chip (SoC), backplane switch, disaggregated switch, virtual switch (vSwitch) accelerator, and Network Interface Card/Controller (NIC) level. For apparatus implementing virtualized environments, one or both of the collection and export functions are implemented at the Physical Function (PF) and/or Virtual Function (VF) layers of the apparatus.

Methods and a system are provided for detecting a Quality of Service degradation in a network flow. A method includes configuring, by a monitoring element, at least two network elements on a path of a network flow to report statistical information pertaining to the network flow as time series data. The method further includes collecting, by the monitoring element, the time series data from the network elements. The method also includes computing, by the monitoring element, a similarity of the time series data. The method additionally includes indicating, by the monitoring element, the Quality of Service degradation when the similarity is below a specified similarity threshold.

The invention discloses a method for detecting a DOS/DDOS (denial of service/distributed denial of service) attack. The method comprises the following steps of: firstly extracting needed flow characteristic parameters from network stream data, determining abnormal time points and constructing a historical time window by analyzing the flow characteristic parameters, and then finding out first N destination IPs (internet protocols) with maximum flows for the abnormal time points, determining an abnormal destination IP by analyzing sub streams including all the selected destination IPs in the horizontal time window, and finally, confirming the attack and recognizing an abnormal stream. The method is different from a conventional packet-by-packet analyzing method, adapts to the characteristic of the huge flow of a backbone network, can meet the requirement on real-time performance in the abnormality detection of the Backbone Network, can detect the DoS/DDoS attack more precisely in the backbone network, and can recognize an attack stream in the backbone network, so that a network manager can set a router in time, filters the flow sent by an attacker, and prevents the flow from harming a destination host.

The invention discloses a weak supervision semantic segmentation method based on an attention directing inference network. The main content comprises the self-directing on the network attention and the supervision on the additional integration, wherein the supervision process is as follows: the attention directing inference network has two network streams of the classification stream and the attention mining; the classification stream is conductive to identifying the region of the class, the attention mining ensures that all regions possibly conductive to the classification decision making canbe included into the attention of the network, so that an attention graph becomes more complete and accurate, the attention graph can be jointly generated and trained through two loss functions; theextension of the attention directing inference network is imported to seamlessly integrate the additional supervision in the weak-supervision learning framework, thereby controlling the attention graph learning process. Based on the end-to-end framework, the supervision of the specific task can be directly applied to the attention graph at the training stage, and the difference between the weak supervision and the additional supervision can be reduced, and the generalization performance is improved.

The invention belongs to technical fields characterized by protocols and discloses an attack occurrence confidence-based network security situation assessment method and system. According to the attack occurrence confidence-based network security situation assessment method and system, a machine learning technology is adopted to analyze network stream data and calculate a probability that networkstreams belong to attack streams; a D-S evidence theory is used to fuse the information of multi-step attacks to obtain the confidence of attack occurrence; and a network security situation is calculated by means of situational factor integration on the basis of security vulnerability information, network service information and host protection strategies; and therefore, the accuracy of assessmentis effectively improved. Since the confidence information of detection equipment is added to the assessment system, the influence of false negatives and false positives can be effectively reduced. Anensemble learning method is adopted, so that the accuracy of confidence calculation can be improved. A network attack is regarded as a dynamic process, and merging processing is performed on the information of the multi-step attacks. Information fusion technology is adopted, so that network environment characteristics such as vulnerabilities, service information and protection strategies are comprehensively considered.

The invention discloses a method and a system for shortening time delay in a peer-to-peer network streaming media live broadcast system. The system is provided with a media source node and a cache routing server, wherein the media source node is used for the media resource management of the whole system; the cache routing server is used for media resource management, routing calculation and peer client end management in a local domain; the cache routing server is used for selecting a proper peer client end from other managed peer client ends and establishing streaming media data interaction with a request peer client end; when needed media streaming data does not exist in the peer client end managed by the cache routing server, the cache routing server is used for requesting needed streaming media data information from other cache routing servers and transmitting the needed streaming media data information to the request peer client end; and when the cache routing server is failed forobtaining the needed streaming media data from other cache routing servers, the cache routing server is used for obtaining the needed data from the media source node and transmitting the needed data to the request peer client end.

A mixed congestion control method based on packet loss and time delay comprehensively gives consideration to network packet loss and time delay information and conducts mixed mode control on congestion windows. Adjustment of the congestion windows is based on improvement of Fast congestion control in a fast mode. In a slow mode, a current network steady state window value is calculated according to network states at round-trip time interval, and then congestion control strategies based on CUBIC improvement is carried out. The mixed congestion control method comprehensively uses congestion control superiorities based on the time delay and the packet loss and adopts a mixed strategy to conduct congestion control, and a congestion window adjustment mode combining the two modes guarantees that the congestion windows rapidly achieve and continuously maintain a network steady state value. An improved congestion control algorithm can rapidly and effectively adjust the congestion control windows on a transport layer under high bandwidth, improve transmission throughput rate of a network flow and simultaneously guarantee a network to be stable.

The invention discloses a botnet distributed real-time detection method and system. The botnet distributed real-time detection method comprises the steps of generating a network flow metadata Netflow information and sending the network flow metadata Netflow information to a data detection component by a data generation component; extracting multiple training detection characteristics from marked training data and establishing a detection model serving as a detection standard of a real-time detection unit by a detection model training unit of the data detection component; and by the real-time detection unit of the data detection component, receiving the Netflow information sent in real time, extracting multiple detection characteristics and comparing with the detection model, and obtaining alarm information including a detection object identifier when the comparison result is matched, and comparing the alarm information with a blacklist and a whitelist of a host to obtain a confirmed controlled bot host and a doubtful controlled bot host. The scheme of the botnet distributed real-time detection method and system not only can be applied to an enterprise network with gigabit flow, but also can be applied to a ISPs network; and the overall detection performance of the botnet detection is improved.

The invention discloses an unconventional network access behavior monitoring system. The unconventional network access behavior monitoring system is set in an Internet data center (IDC) machine room of a telecom operator, connected with an access layer switch and a convergence layer router which are accessed in a high broadband user private network in a communication mode and collects traffic flow data based on NetFlow. The unconventional network access behavior monitoring system comprises a basic information database, an Internet Protocol (IP) traffic flow data acquisition and analysis module, a high broadband users private network border gateway protocol (BGP) routing information filtering module, a high broadband users private network active subscriber identity module, a high broadband users private network active user behavior legitimacy identifying module and a information display and blacklist management module. The invention further provides an unconventional network access behavior monitoring method. According to the unconventional network access behavior monitoring system and the monitoring method, aiming at high broadband (> 45 Mb/s) IDC clients, irregularities of unconventional accessing to telecom operator Internet through renting operators IDC data special line and the like is effectively monitored.

The method is designed based on NetraMet and NetFlow system. It uses a sampling ratio supporting a high-speed multi-link logical channel network traffic measurement, which can makes self-adaption to the message sampling ratio and the traffic sampling ratio according to the network traffic state and supports to use time slice approach to output the stream message. It uses a general approach to monitor the traffic in any channels.

The invention relates to an abnormal flow detection method and system based on a hybrid neural network, and the method comprises the steps: firstly, collecting network flow data, and carrying out thefeature extraction and data preprocessing through taking network flow as granularity; learning spatial features in the network traffic data through a convolutional neural network; inputting the features containing the spatial information into a bidirectional long-short time memory network to further learn the time sequence features of the bidirectional long-short time memory network; finally, outputting a detection result. Compared with an existing machine learning and deep learning abnormal flow detection method, the method has the advantages that high-dimensional features can be better mined, and the accuracy of an intrusion detection model is improved. The method is reasonable in design, and the accuracy rate, the detection rate and the accuracy rate of the obtained classification modelare all high.

The invention relates a self-adaptive semi-supervised network traffic classification method, system and equipment. The method comprises the following steps: acquiring a network stream, extracting thestream feature with the preset fixed quantity in each network stream to obtain a network stream feature vector; computing the centroid of the network stream feature vector in each type according to the marked network stream feature vector, thereby obtaining a vector set M; performing self-adaptive semi-supervised k-means clustering by taking the vector set M as an initial center point; mapping theobtained network stream in each type of cluster to the belonged traffic type according to the maximum posterior probability; taking the traffic cluster of the known type as the training data to trainan online traffic classifier. The invention further relates to a system, the system comprises an acquisition module, a vector set processing module, a clustering module, a classification module, andan output module. The invention relates to the equipment. The equipment comprises a processor, a memorizer, and a computer program stored on the memorizer and capable of being run on the memorizer.

The invention discloses a Botnet detection method based on Netflow and DNS blogs. The method includes the following steps: conducting quintuple correlation analysis on acquired Netflow data through an abnormal flow monitoring technique, and analyzing IP addresses of infected hosts of a service provider network, IP addresses of attack targets initiated by the IP addresses of the infected hosts and attack characteristics; and in a DNS server, acquiring DNS query request blogs, conducting correlation analysis on domain name request situations initiated when the IP addresses of the infected hosts attack the service provider network, searching for common domain name access records and eliminating normal common domain names, and obtaining FFSN dynamic malicious domain names. According to the method, the FFSN dynamic malicious domain names can be located quickly, locating precision and timeliness of the FFSN dynamic malicious domain names are greatly improved, and misjudgement rates are reduced.

The invention relates to streaming algorithms useful for obtaining summaries over unaggregated packet streams and for providing unbiased estimators for characteristics, such as, the amount of traffic that belongs to a specified subpopulation of flows. Packets are sampled from a packet stream and aggregated into flows and counted by implementation of Adaptive Sample-and-Hold (ASH) or Adaptive NetFlow (ANF), adjusting the sampling rate based on a quantity of flows to obtain a sketch having a predetermined size, the sampling rate being adjusted in steps; and transferring the count of aggregated packets from SRAM to DRAM and initializing the count in SRAM following adjustment of the sampling rate.

Managing network traffic to improve availability of network services by classifying network traffic flows using flow-level statistical information and machine learning estimation, based on a measurement of at least one of relevance and goodness of network features. Also, determining a network traffic profile representing applications associated with the classified network traffic flows, and managing network traffic using the network traffic profile. The flow-level statistical information includes packet-trace information and is available from at least one of Cisco NetFlow, NetStream or cflowd records. The classification of network flows includes tagging packet-trace flow record data based on defined packet content information. The classifying of network flows can result in the identification of a plurality of clusters based on the measurement of the relevance of the network features. Also, the classification of network traffic can use a correlation-based measure to determine the goodness of the network features.

The invention relates to an indirect distributed denial of service attack defense method and an indirect distributed denial of service attack defense system based on a Web agency. A behavior characteristic of a proxy-to-server network flow is described by extracting the space-time local property of the proxy-to-server network flow; the interference of a small-probability large value on an available signal is restrained by a nonlinear mapping function; a normal behavior model of the proxy-to-server network is constructed through a hidden semi-markov model (HsMM); normal degree estimation, namely long-time behavior estimation and short-time behavior estimation, under different time scales is performed by using behavior indexes acquired by the model; as to an abnormal behavior sequence (HTTP request sequence), an attack response is implemented by adopting a soft control method; and the basis of the soft control represents an HsMM model parameter and a structure index which are used for performing a normal behavior. The parameter for describing the proxy-to-server network is the space-time local property which is irrelevant to the change of the Web content on a target server; and the detection property of the method is the nature property based on the agent network flow and irrelevant to the size of the attack flow. By the method, the attack response can be realized before the resources of the target server are used by the attack flow, so that early detection can be realized effectively.

A method for acquiring and counting virtual private network VPN flow by using Netflow includes the following steps: VPN routing list information is configured on entrance service provider edge-node PE, wherein the corresponding relation with access port VPN identification and remote end PE identification is stored; expanded Netflow V9 template message carried with the VPN identification and remote end PE identification is sent to a top management server; the entrance PE samples the data flow flowing therethrough, corresponding VPN identification is obtained according to the access port of the data flow, the identification of remote-end PE is obtained and the data packet information obtained by sampling is buffered in the combined with the VPN routing list information; the data packet information is sent to the top management server after the sample message obtained by packaging according to the expanded Netflow V9 template; and the top management server analyzes the sample message according to the template message, and the VPN flow is counted.

The invention provides a NetFlow based botnet network detection system which comprises a data acquisition module, a pre-processing module, a node evaluation module, a topology discovery module and a correlation analysis module. The node evaluation module obtains suspected botnet network Pboti corresponding to a data stream I through an analytic function Fbot (vi). The correlation analysis module draws and analyzes a data stream communication diagram using the suspected botnet network Pboti as weight and calculates the probability that a target network is a botnet network, and the target network is the botnet network if the probability is larger than a set threshold value. The invention further provides a botnet network detection method. The NetFlow based botnet network detection system and method integrate high-efficiency NetFlow flow analysis, adopt an analysis algorithm, obtain threat coefficients of all nodes and the whole network topology structure and accurately screen botnet networks with complicated network topology, high mobility, high hiding performance and high perniciousness by being combined with specific topology structure of the target network.