877 results about "Traffic analysis" patented technology

Methods and devices for processing packets are provided. The processing device may include an input interface for receiving data units containing header information of respective packets; a first module configurable to perform packet filtering based on the received data units; a second module configurable to perform traffic analysis based on the received data units; a third module configurable to perform load balancing based on the received data units; and a fourth module configurable to perform route lookups based on the received data units.

Third party cache appliances are configured into a content delivery service to enable such devices to cache and serve content that has been tagged for delivery by the service. The invention enables the content delivery service to extend the reach of its network while taking advantage of high performance, off-the-shelf cache appliances. If the third party caches comprise part of a third party content delivery network, the interconnection of caches to the CDS according to the present invention enables the CDS and the third party network to share responsibility for delivering the content. To facilitate such “content peering,” the CDS may also include a traffic analysis mechanism to provide the third party network with preferably real-time data identifying the content delivered by the CDS from the third party caches. The CDS may also include a logging mechanism to generate appropriate billing and reporting of the third party content that is delivered from the cache appliances that have been joined into the CDS.

A system and method for generating and transmitting false packets along with a true packet to thereby hide or obscure the actual message traffic. A new extension header having a plurality of fields is positioned in the hierarchy of Internet protocol headers that control passage of the false packets and the true packet through the network. A sending host computer generates a plurality of false packets for each true packet and transmits the false packets and the true packet containing the Internet protocol headers and the extension header over the network. The new extension header is decrypted and re-encrypted each host that handles a message packet that uses the new extension header to control the random re-encryption of the true packet body at random hosts and the random generation of false packets at each host visited by a true packet, at the recipient of the true packet, and at any hosts that receive a false packet.

Financial data including general ledger activity and underlying journal entries are examined to determine whether risks of material misstatement due to fraudulent financial reporting can be identified. The financial data is analyzed statistically and modeled over time, comparing actual data values with predicted data values to identify anomalies in the financial data. The anomalous financial data is then analyzed using clustering algorithms to identify common characteristics of the various transactions underlying the anomalies. The common characteristics are then compared with characteristics derived from data known to derive from fraudulent activity, and the common characteristics are reported, along with a weight or probability that the anomaly associated with the common characteristic is an identification of risks of material misstatement due to fraud. Large volumes of financial data are therefore efficiently processed to accurately identify risks of material misstatement due to fraud in connection with financial audits, or for actual detection of fraud in connection with forensic and investigative accounting activities. The analysis is enhanced by using flow analysis methods to select subsets of financial data to examine for anomalies. Flow analysis methods are also used to reveal useful business information found in money flow graphs of financial data.

The invention discloses a threat early warning and monitoring system and method based on big data analysis and a deployment architecture. The system comprises a data acquisition system module, which is used for carrying out real-time data acquisition on original network traffic; a data storage system module, which is used for carrying out data merging and data cleaning on the data collected by the data acquisition system module, and then, carrying out storage management; a real-time threat intelligent analysis system module, which is used for carrying out deep analysis and mining on security data through data mining, text analysis, traffic analysis, full-text search engine and real-time processing, and identifying unknown security threats in real time by combining an intrusion detection module, a network abnormal behavior module and a device abnormal behavior module; and a situation awareness display system module, which is used for carrying out comprehensive display on security threat situations stereoscopically in real time through a data visualization tool library. The threat early warning and monitoring system and method based on big data analysis and the deployment architecture are used for network security threat situation awareness and deep analysis under a plurality of service scenarios, and realize comprehensive abilities from attack early warning, attack identification to analysis and evidence obtaining.

A proxy-server system (15) connected preferably to a computer-telephone system (10) intercepts, processes, and analyzes as traffic-analysis results (68A-C) all forms of real- and non-real-time electronic communication passing over the network in the form of raw traffic data (61). The proxy-server system normalizes each communication into the measure of time needed by recipient(s) of the communication to understand the information contained therein. Once normalized, the data may be aggregated into summary reports (69A-C). As part of the analysis, the aggregated communication records are compared with user-defined rules to provide alerts if the individual or aggregated durations exceed boundaries set by the rules. In one embodiment, the summary reports may be integrated with general-ledger data (94) and other raw business data (74) via a relational database (72) to derive more accurate records of activity-based-costing information (76). Additionally, the data of the summary reports may be visualized in two- or three-dimensional representations of communication-flow patterns to illustrate in an intuitive and semantically scalable manner the desired level of detail for time and time-based expense consumed by the electronic interactions of an individual or organization.

Methods and apparatus for optimum matching of a traffic profile with an individual traffic flow using flow bifurcation and analysis. Bifurcation and duplication of packets that make up a flow received at an ingress element are forwarded to each of egress traffic and computation processor resources, such that egress traffic operations and traffic analysis operations may be performed concurrently without introducing jitter or delay in either bifurcated processing path. The traffic analysis includes maintaining flow statistics, flow stateful information and classifying the flow as a particular application traffic type. The optimum traffic profile for this application traffic type is then selected and applied to the individual flow. The traffic analysis data is forwarded to ingress and egress processing elements in real time, and ingress and egress traffic processing operations are dynamically adjusted in view of the traffic analysis data.

An apparatus is described that associates categorization information with network traffic to facilitate application level processing through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a plurality of microcode controlled state machines, wherein at least one microcode state machine processes at least one input data field using a hash function to generate a hash identifier. This embodiment further includes a distribution circuit that routes input data to the plurality of microcode controlled state machines, such that at least one individual microcode controlled state machine applies a rule to the input data to produce the at least one input data field, and to produce modification instructions based on the hash identifier. This embodiment further includes a first circuit that appends the hash identifier to the input data to produce modified input data based on the modification instructions, and that routes the modified input data in accordance with an output routing strategy. Advantageously, the apparatus provides an architectural framework well suited to a low cost, high speed, robust implementation of flexible, advanced network security and monitoring features and network traffic analysis.

A system for and method of analyzing the performance of a packet-switched network, the network automatically generating a traffic log each time a packet enters or exits the network and each traffic log including at least the time the traffic log was created, the addresses of the packet sender and packet recipient, and the entry and exit network nodes. A server collects a plurality of traffic logs, parses the available information therein and generates a plurality of histograms, each histogram being based on information gleaned from the plurality of traffic logs. The histograms may be representative of packet traffic passing through a host connected to the network, packet traffic passing through a node in the network or the amount of data that travels over a link between two nodes of the network. To increase the delivery speed of the histogram data from the server to a client, the histograms are preferably stored as flat files to achieve direct and rapid access to stored data.

A network verification tool is presented that allows a user to easily create tasks for a collection of task types. The collection of task types are hosted by probe network devices that are coupled to a network under test. The network under test includes network devices executing generic network software and particular hardware or software that is being tested. The probe network devices are coupled to an NVT server, which transmits tasks to the task types and interfaces with one or more NVT clients. The NVT clients can create tasks by entering the appropriate parameters within templates supplied by the NVT server. Any collection of task types can be included in the network verification tool, including traffic generators, traffic analyzers, large network emulators, session emulators, device queries and script tasks.

The invention discloses a data center flow control method and a data center flow control system based on openflow. Openflow switchboards are controlled to operate a topology discovery protocol through a network controller, so tha information of all network nodes and links is collected and a network topology value is calculated; and the network controller periodically carries out end-to-end flow analysis on flows, calculates optimized paths of all the flows and transmits the optimized paths to each openflow switchboard, monitors the states of all the network links in real time, and maintains or downloads the optimized paths of the new flows to each openflow switchboard, so that the use rate of network bandwidth resources and the accuracy and the reliability of network concentrated management can be improved, the variation of the network flow can be fitted by sensitively regulating a flow load in a network, and the use rate and the reliability of the network can be effectively improved. The data center flow control method and the data center flow control system based on the openflow has a good application prospect.

In a code division multiple access (CDMA) communications system including one or more terminals (such as customer premise equipments, CPEs) that communicate with a node (such as an Internet gateway) via at least a random access channel and a reservation-oriented channel, various schemes of managing communications traffic among the channels are provided. Decisions as to the channel on which a given terminal may transmit may be based on: traffic statistics (such as packet size or average data rate over a time period), traffic content (such as packet type), the terminal's output buffer loading (queue state, or “Q-state”), a history of the terminal's output buffer loading (one or more Q-states), and so forth. In one application, decisions in managing traffic in a live user's web browsing sessions may involve intelligent ascertainment of whether a given terminal is busy based on traffic analysis or output buffer loading.

An architecture for capture and generation, and a set of methods for characterization, prediction, and classification of traffic in packet networks are disclosed. The architecture consists of a device that stores packet timing information and processes the data so that characterization, prediction, and classification algorithms can perform operations in real-time. A methodology is disclosed for real-time traffic analysis, characterization, prediction, and classification in packet networks. The methodology is based on the simultaneous aggregation of packet arrival times at different times scales. The traffic is represented at the synchronous carrier level by the arrival or non-arrival of a packet. The invention does not require knowledge about the information source, nor needs to decode the information contents of the packets. Only the arrival timing information is required. The invention provides a characterization of the traffic on packet networks suitable for a real-time implementation. The methodology can be applied in real-time traffic classification by training a neural network from calculated second order statistics of the traffic of several known sources. Performance descriptors for the network can also be obtained by calculating the deviation of the traffic distribution from calculated models. Traffic prediction can also be done by training a neural network from a vector of the results of a given processing against a vector of results of the subsequent processing unit; noticing that the latter vector contains information at a larger time scale than the previous. The invention also provides a method of estimating an effective bandwidth measure in real time which can be used for connection admission control and dynamic routing in packet networks. The invention provides appropriate traffic descriptors that can be applied in more efficient traffic control on packet networks.

A firewall is described that is integrated in an input stage of a packet processing pipeline so that it recognizes and has access to internal information regarding the different services, such as conduit, intranet, Internet, local vs WAN, applications, and security zones, of a communication network, such as an adaptive private network (APN). The integrated firewall is able to dynamically access the service type, respond to the service type, and adjust the service type based on conditions in the network. Since application awareness and security functions are integrated, customers can set security policies on software applications. The integrated firewall also provides automatic detection of applications, classifies applications based on domain names, steers traffic to services according to software applications, reports on software applications in passthrough traffic, and provides analysis of traffic that does not match a software application so that a user can investigate and define custom applications.

New and improved techniques for a behavior analysis based DNS tunneling detection and classification framework for network security are disclosed. In some embodiments, a platform implementing an analytics framework for DNS security is provided for facilitating DNS tunneling detection. For example, an online platform can implement an analytics framework for DNS security based on passive DNS traffic analysis.

Network traffic analysis is performed by deploying, across a network having a plurality of network nodes, at least one data collection agent, on at least two of the plurality of network nodes. Each data collection agent may monitor at each network node, a plurality of network connections instantiated during a monitoring time period. Data resulting from the monitoring is acquired from the data collection agents and an ontological description of the network is automatically created from the acquired data. The ontological description is dynamically updated and network traffic analysis is performed using the dynamically updating ontological description.

A network traffic analysis method for tracking, analyzing, and mitigating security threats in a network includes receiving information based on monitoring traffic at a plurality of layers at one or more monitors deployed in the network utilizing deep packet inspection; receiving information based on monitoring the traffic at an endpoint of the network; analyzing the monitored traffic from the endpoint and the one or more monitors to determine network infrastructure and cyber security posture of the network infrastructure; and providing visualizations based on the network infrastructure and the cyber security posture, continuously to track threats, watch lateral movement in the network of the traffic, and determine security event history in the network.

Methods and devices for processing packets are provided. The processing device may Include an input interface for receiving data units containing header information of respective packets; a first module configurable to perform packet filtering based on the received data units; a second module configurable to perform traffic analysis based on the received data units; a third module configurable to perform load balancing based on the received data units; and a fourth module configurable to perform route lookups based on the received data units.

The present invention provides a system and method for traffic analysis. Embodiments can be used to detect malevolent network activity such as worms, viruses, denial of service attacks, and unauthorized network routing. Upon detecting the activity, steps can then be taken to halt the spread and/or remove the malevolent network activity, thereby adding protection from such activity to the network. Other network activity of interest can also be detected.

A traffic measurement system and a traffic analysis method are provided. The traffic measurement system includes a plurality of measurement devices that collect all of packets flowing through Internet links, extract traffic data required to analyze traffic from the collected packets, and process the extracted data into predetermined flow types, and an analysis server that identifies applications of traffic by analyzing the traffic data transferred from the plurality of measurement devices as a whole, classifies the identified applications into predetermined traffic types, and outputs the classification result. The traffic measurement system measures the traffics in the Internet network and processes the measured traffics to generate detailed traffic statistical data according to applications. In particular, the traffics are analyzed considering measurement data from various points, and the data for identifying the applications are extracted from headers of the applications included in payloads of IP packets in real time. Accordingly, detailed traffic analysis result is provided.