3131 results about "Network monitoring" patented technology

Apparatus and accompanying methods for use therein for implementing an integrated, virtual office user environment, through an office server(s), through which a remotely stationed user can access typical office network-based applications, including e-mail, file sharing and hosted thin-client programs, through a remotely located network, e.g., WAN, connected web browser. Specifically, a front end, namely a service enablement platform (SEP), to one or more office servers on a LAN is connected to both the WAN and LAN and acts both as a bridge between the user and his(her) office applications and as a protocol translator to enable bi-directional, web-based, real-time communication to occur between the browser and each such application. During initial operation, the SEP, operating under a default profile, establishes, over an analog connection to the WAN, a management session with the site to obtain customer WAN access information, then tears down the analog connection and establishes a broadband WAN connection through which the SEP re-establishes its prior session and obtains a client certificate and its customized profile. The SEP then re-initializes itself to that particular profile.

A probe apparatus, method and computer program product for application monitoring are provided. A data collection module collects data from a network segment. A flow processor coupled to the data collection module classifies the collected data into a plurality of flows. A capture system coupled to the flow processor filters and buffers the collected data. A main processor processes the filtered data.

Methods, apparati, and computer program products for detecting and responding to fast-spreading network worm attacks include a network monitoring module (110), which observes (205) failed network connection attempts from multiple sources. A logging module (120) logs (220) the failed connection attempts. An analysis module (150) uses the logged data on the failed connection attempts to determine (225) whether a sources is infected with a worm using a set of threshold criteria. The threshold criteria indicate whether a source's failed connection attempts are non-normal. In one embodiment, a response module (160) responds (240) to the computer worm by, e.g., alerting a user or system administrator, terminating an infected process (20), or terminating the infected source's network access.

Methods, apparatuses and systems that facilitate the classification of web services network traffic. In one implementation, the present invention processes interface definitions corresponding to a given Web service to construct a traffic classification configuration for the Web service, including one or more traffic classes and corresponding matching rules or attributes for each traffic class. In one implementation, the present invention automatically creates traffic classes and matching rules that allow for differentiation between the operations supported by a Web service. Implementations of the present invention provide a mechanism allowing for classification of Web services network traffic on a granular basis to enhance network monitoring and analysis tasks, as well as network control functions, such as bandwidth management, security and other functions.

Service-centric communication network monitoring apparatus and methods are provided. Service traffic, associated with a third-party service provided by an external service provider that is controlled independently of a communication network, is identified in communication traffic that is being transferred through that communication network. The identified service traffic is monitored, for example, to compile service usage statistics, to police usage of the service, to generate billing records for usage of the service, and/or to mirror the identified service traffic. A registry in which the service is registered may interact with a monitoring system of the communication network so as to establish monitoring for the service traffic.

The network monitoring system collects transmission and/or receive power level information from a plurality of customer premise devices connected to the same distribution node for each of a plurality of network distribution nodes. For an individual network distribution node, the network monitoring system calculates a set of fluctuation parameters including a group power level deviation metric, e.g., a modified standard deviation ratio. The network monitoring system evaluates the generated fluctuation parameters and responds, e.g., outputting a fluctuations report, modifying a data collection profile being used by a set of customer premise devices corresponding to a distribution node, commanding diagnostics to be performed on a portion of the network and/or directing a service technician. The network monitoring system compares generated fluctuation parameters corresponding to different distribution nodes, and uses the results of the comparison to assign priority with regard to the assignment of limited available troubleshooting and repair resources.

A network monitoring architecture for multiple computer network systems is disclosed. In particular, the network monitoring architecture includes an agent system installed within each computer network and a remote central management unit in communication with the agent system of each computer network. The agent systems collect data from key network devices that reside on the corresponding computer network, and send the collected data to the remote central management unit as a message through the Internet. The data from the computer networks are processed at the remote central management unit to determine imminent or actual failure of the monitored network devices. The appropriate technicians can be immediately notified by the central management unit through automatically generated messages.

A user gains access to a private network by connecting to a network, either through a hardwired or wireless connection, and then initiates an Internet access request targeting any website. If the user is not already authorized for Internet access, then the user is sent to a first predetermined website that points the user to an authentication server accessible via the Internet. The authentication server sends the user an HTTP form pages requesting authentication information. When the user responds, a network monitoring device within the private network alters the form page to include the user's hardware address and an encoded ID based on the network's location. The authentication server forwards this data to a gate keeper server, which authenticates the new user and transmits an unblock message along with another encoded ID based on the network's location and the user's hardware address.

A system for identifying chronic performance problems on data networks includes network monitoring devices that provide measurements of performance metrics such as latency, jitter, and throughput, and a processing system for analyzing measurement data to identify the onset of chronic performance problems. Network behavior is analyzed to develop a baseline performance level (e.g., computing a mean and variance of a baseline sample of performance metric measurements). An operating performance level is measured during operation of the network (e.g., computing a mean and variance of an operating sample of performance metric measurements). A chronic performance problem is identified if the operating performance level exceeds a performance threshold and a difference between the baseline performance level and the operating performance level is determined to be statistically significant. A t-test based on the baseline mean and variance and the operating mean and variance can be used to determine if this difference is significant.

A method of and monitor apparatus for analyzing a flow of packets passing through a connection point on a computer network. The method includes receiving a packet from a packet acquisition device, and looking up a flow-entry database containing flow-entries for previously encountered conversational flows. The looking up to determine if the received packet is of an existing flow. Each and every packet is processed. If the packet is of an existing flow, the method updates the flow-entry of the existing flow, including storing one or more statistical measures kept in the flow-entry. If the packet is of a new flow, the method stores a new flow-entry for the new flow in the flow-entry database, including storing one or more statistical measures kept in the flow-entry. The statistical measures are used to determine metrics related to the flow. The metrics may be base metrics from which quality of service metrics are determined, or may be the quality of service metrics.

A procedure for accomplishing surveillance within a managed VoP network when end-user encryption/decryption and NAT are in place. The procedure comprises first analyzing the network from call signaling and message standpoints, leading to the identification of suitable surveillance access points (SAPs) for packet interception. A Delivery Function (DF) facilitated by the network service provider provides the means to intercept (without alteration) and replicate packets transmitted across the SAPs. The packets are then transmitted via the DF for collection within a Collection Function (CF), which is managed by a Law Enforcement Agency (LEA), for analysis by the LEA. This analysis provides, among other benefits, the opportunity to decrypt the intercepted packets and to identify additional suitable SAPs. In demonstrating the procedure, several embodiments of network surveillance models are described. Each one identifies the location of SAPs for that model. In each model, different information is collected and different processes are followed.

In one embodiment, a network architecture includes a plurality of application monitoring modules for monitoring network traffic data in a plurality of network segments. Network monitoring modules include a staging area that receives network traffic data from a packet capture and analysis engine and an indexing area that stores the data in meta-flow tuples with associated measures divided into time interval buckets. Index tables store dimension-based sorted pointers to the storage locations in the data buckets. HyperLock queries collect time aggregated results for measure based operators with respect to a queried dimension. For each value of the queried dimension, the time interval buckets are traversed compiling a partial result that is finally stored in a stack as the time aggregated value. The stored sorted pointers are used to determine the starting location in each bucket with respect to the next value of the queried dimension.

System and Method for detecting anomalous network application behavior. Network traffic between at least one client and one or more servers may be monitored. The client and the one or more servers may communicate using one or more application protocols. The network traffic may be analyzed at the application-protocol level to determine anomalous network application behavior. Analyzing the network traffic may include determining, for one or more communications involving the client, if the client has previously stored or received an identifier corresponding to the one or more communications. If no such identifier has been observed in a previous communication, then the one or more communications involving the client may be determined to be anomalous. A network monitoring device may perform one or more of the network monitoring, the information extraction, or the information analysis.