Abstract: A method for identifying a network application. The method includes analyzing metadata and source code of a network application to extract a set of application tokens, generating an index document of the network application based on the set of application code tokens, wherein the index document is included in a library of index documents corresponding to a number of network applications, extracting a set of packet header tokens from a packet header of a packet in a flow, comparing the set of packet header tokens to the set of index documents to generate a number of match scores, wherein each match score represents a similarity measure between the set of packet header tokens and one index document, and determining, based on a highest match score corresponding to a particular network application, that the flow is generated by the particular network application.

Abstract: The disclosed computer-implemented method for automated classification of application network activity may include (1) building a lexicon dictionary that comprises lexical keywords, wherein network streams whose headers contain a given lexical keyword represent communications of an activity type that is associated with the given lexical keyword in the lexicon dictionary, (2) identifying, at a network vantage point, a network stream that represents a communication between an application and a server, (3) extracting, through a lexical analysis that utilizes the lexicon dictionary, a set of keywords from one or more header fields of the network stream, and (4) classifying the network stream based on activity types associated with each keyword in the set of keywords that were extracted from the header fields of the network stream. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for profiling network traffic of a network. The method includes extracting cells from bi-directional payloads generated by a network application, wherein each cell comprises at least one direction reversal in a corresponding bi-directional flow, generating a cell group comprising a portion of the cells that are similar, analyzing the cell group to generate a signature of the network application, and classifying, based on the signature of the network application, a new bi-directional flow as being generated by the network application.

Abstract: A method for identifying a network application. The method includes analyzing metadata and source code of a network application to extract a set of application tokens, generating an index document of the network application based on the set of application code tokens, wherein the index document is included in a library of index documents corresponding to a number of network applications, extracting a set of packet header tokens from a packet header of a packet in a flow, comparing the set of packet header tokens to the set of index documents to generate a number of match scores, wherein each match score represents a similarity measure between the set of packet header tokens and one index document, and determining, based on a highest match score corresponding to a particular network application, that the flow is generated by the particular network application.

Abstract: The disclosed computer-implemented method for reverse-engineering malware protocols may include (1) decrypting encrypted network traffic generated by a malware program, (2) identifying at least one message type field in the decrypted network traffic, (3) identifying at least one message in the decrypted network traffic with the identified message type, and (4) inferring at least a portion of a protocol used by the malware program by analyzing the identified message to identify a field type for at least one data field of the identified message of the identified message type. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for identifying compromised devices within industrial control systems may include (1) monitoring network traffic within a network that facilitates communication for an industrial control system that includes an industrial device, (2) creating, based at least in part on the network traffic, a message protocol profile for the industrial device that describes (A) a network protocol used to communicate with the industrial device and (B) normal communication patterns of the industrial device, (3) detecting at least one message that involves the industrial device and at least one other computing device included in the industrial control system, (4) determining, by comparing the message with the message protocol profile, that the message represents an anomaly, and then (5) determining, based at least in part on the message representing the anomaly, that the other computing device has likely been compromised.

Abstract: A method for identifying a network application. The method includes analyzing metadata and source code of a network application to extract a set of application tokens, generating an index document of the network application based on the set of application code tokens, wherein the index document is included in a library of index documents corresponding to a number of network applications, extracting a set of packet header tokens from a packet header of a packet in a flow, comparing the set of packet header tokens to the set of index documents to generate a number of match scores, wherein each match score represents a similarity measure between the set of packet header tokens and one index document, and determining, based on a highest match score corresponding to a particular network application, that the flow is generated by the particular network application.

Abstract: The disclosed computer-implemented method for automated classification of application network activity may include (1) building a lexicon dictionary that comprises lexical keywords, wherein network streams whose headers contain a given lexical keyword represent communications of an activity type that is associated with the given lexical keyword in the lexicon dictionary, (2) identifying, at a network vantage point, a network stream that represents a communication between an application and a server, (3) extracting, through a lexical analysis that utilizes the lexicon dictionary, a set of keywords from one or more header fields of the network stream, and (4) classifying the network stream based on activity types associated with each keyword in the set of keywords that were extracted from the header fields of the network stream. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for analyzing a content delivery network. The method includes obtaining network traffic flows corresponding to user nodes accessing contents from a set of servers of the content delivery network, extracting a timing attribute from each network traffic flow associated with a server, where the timing attribute is aggregated into a timing attribute dataset of the server based on all network traffic flows associated with the server, generating a statistical measure of the timing attribute dataset as a portion of a feature vector representing the server, where the feature vector is aggregated into a set of feature vectors representing the set of servers, analyzing the set of feature vectors based on a clustering algorithm to generate a set of clusters, and generating, based on the set of clusters, a representation of server groups in the content delivery network.

Abstract: The disclosed computer-implemented method for identifying compromised devices within industrial control systems may include (1) monitoring network traffic within a network that facilitates communication for an industrial control system that includes an industrial device, (2) creating, based at least in part on the network traffic, a message protocol profile for the industrial device that describes (A) a network protocol used to communicate with the industrial device and (B) normal communication patterns of the industrial device, (3) detecting at least one message that involves the industrial device and at least one other computing device included in the industrial control system, (4) determining, by comparing the message with the message protocol profile, that the message represents an anomaly, and then (5) determining, based at least in part on the message representing the anomaly, that the other computing device has likely been compromised.

Abstract: A method for profiling network traffic of a network. The method includes extracting cells from bi-directional payloads generated by a network application, wherein each cell comprises at least one direction reversal in a corresponding bi-directional flow, generating a cell group comprising a portion of the cells that are similar, analyzing the cell group to generate a signature of the network application, and classifying, based on the signature of the network application, a new bi-directional flow as being generated by the network application.

Abstract: A method for detecting a malicious network activity. The method includes extracting, based on a pre-determined criterion, a plurality of protection phase feature sequences extracted from a first plurality of network traffic sessions exchanged during a protection phase between a server device and a first plurality of client devices of a network, comparing the plurality of protection phase feature sequences and a plurality of profiling phase feature sequences to generate a comparison result, where the plurality of profiling phase feature sequences were extracted from a second plurality of network traffic sessions exchanged during a profiling phase prior to the protection phase between the server device and a second plurality of client devices of the network, and generating, in response to detecting a statistical measure of the comparison result exceeding a pre-determined threshold, an alert indicating the malicious network activity.

Abstract: A method for profiling network traffic of a network. The method includes extracting cells from bi-directional payloads generated by a network application, wherein each cell comprises at least one direction reversal in a corresponding bi-directional flow, generating a cell group comprising a portion of the cells that are similar, analyzing the cell group to generate a signature of the network application, and classifying, based on the signature of the network application, a new bi-directional flow as being generated by the network application.

Abstract: A method for accessing (e.g., processing, storing, retrieving, etc.) network traffic data of a network. The method includes using separate data analysis device and data access device for capturing and analyzing network traffic data blocks concurrently and cooperatively to store and retrieve large amount of high speed network traffic data. In particular, the data analysis device and the data access device are synchronized using a linked set containing unique data block identifier and associated packet identifiers. The synchronization allows the data analysis device to focus on the full packet analysis task and the data access device to focus on the full packet storing and retrieving task without analyzing full packet content.

Abstract: A method for profiling network traffic of a network. The method includes identifying a training set having captured payloads corresponding to a set of flows associated with a network application, determining a set of signature terms from the training set, representing a portion of the captured payloads as regular expressions, representing a regular expression as a path in a term transition state machine (TTSM) including states coupled by at least a link that is assigned a signature term and a transition probability, the transition probability corresponding to a signature term transition to the signature term in the regular expression, and analyzing, based on the TTSM according to at least the transition probability, a flow separate from the set of flows and associated with a server in the network to determine the server as executing the network application.

Abstract: A method for profiling network traffic of a network, including defining a set of features each corresponding to a set of pre-determined bit positions for selecting a pre-determined number of data bits from each flow in a flow set generated by a network application to form a feature value assigned to the feature for the each flow, identifying the feature as a deterministic feature based on a frequency of occurrence of the feature value, extracting a set of paths from the flow set based on a number of deterministic features, generating a state machine based on the set of paths, and analyzing a new flow associated with a server in the network to determine the server as executing the network application.

Abstract: A method for profiling network traffic of a network. The method includes identifying a training set having captured payloads corresponding to a set of flows associated with a network application, determining a set of signature terms from the training set, representing a portion of the captured payloads as regular expressions, representing a regular expression as a path in a modified term transition state machine (MTTSM) including states coupled by at least a link that is assigned a signature term, and analyzing, based on the MTTSM, a flow separate from the set of flows and associated with a server in the network to determine the server as executing the network application.