Abstract: An apparatus and method for analyzing a network flow. The apparatus includes a parser for extracting flow identification information from the network flow, a flow metering unit, and a programmable controller and the parser, wherein the parser and flow metering unit are controlled in parallel by the programmable controller, wherein the programmable controller is implemented as state machine, and wherein the state machine includes a transition rule memory, a rule selector, and a state register, wherein the rule selector is configured for receiving an external input signal and an internal input signal from the state register and wherein the rule selector is configured for observing the internal and external input signal by means of the transition rule memory for transition rules and for changing the state of the state register and generation of an output signal having parsing or flow metering instructions when a transition rule applies.

Abstract: Mechanisms are provided for automatic address range detection for an IP network. Flow data is obtained comprising the source or destination IP addresses for the flow and one of: the other of the source or destination IP addresses; or direction data identifying the flow direction across the network boundary. A tree is generated representing IP addresses in the flow data. IP addresses with initial portions in common are represented in the tree with a node in common. Weights are assigned to nodes in the tree based on occurrences of the represented IP addresses in the flow data. The IP address range of the network is detected by identifying, based on the assigned weights, the node associated with the last initial address portion common to all IP addresses in the network. A device is automatically configured with the IP address range to differentiate IP addresses inside and outside the network.

Abstract: A data traffic monitor for determining a heavy distinct hitter (HDH) in a data stream, the data stream comprising a plurality of element-value (e,v) pairs, includes a HDH module, the HDH module configured to receive the plurality of (e,v) pairs from the data stream; and a counter block in communication with the HDH module, the counter block comprising a plurality of hash functions, and further comprising a respective pair of distinct counting primitives associated with each hash function of the plurality of hash functions, wherein each of the plurality of (e,v) pairs is added to one of the distinct counting primitives of the respective pair of distinct counting primitives for each of the plurality of hash functions in each of the plurality of counter blocks.

Abstract: A data traffic monitor for determining a heavy distinct hitter (HDH) in a data stream, the data stream comprising a plurality of element-value (e,v) pairs, includes a HDH module, the HDH module configured to receive the plurality of (e,v) pairs from the data stream; and a counter block in communication with the HDH module, the counter block comprising a plurality of hash functions, and further comprising a respective pair of distinct counting primitives associated with each hash function of the plurality of hash functions, wherein each of the plurality of (e,v) pairs is added to one of the distinct counting primitives of the respective pair of distinct counting primitives for each of the plurality of hash functions in each of the plurality of counter blocks.

Abstract: The present invention provides a system and method for time-series with compression accuracy as a function of time. Briefly described, in architecture, one embodiment of the system, among others, can be implemented as follows. The system includes a computer with a processor. The system performs a method receiving a data set on the computer, utilizing a plurality of filter banks to transform the data set into a plurality coefficients, wherein each coefficient is associated with a basis function, and quantizing the plurality of coefficients, wherein the quantization maps the plurality of coefficients into certain value ranges. Then, system further performs determining a threshold based upon each coefficient effect on a time domain, disregarding the coefficient that fall below the threshold, and storing any remaining coefficients as compressed data for the data set.

Abstract: Mechanisms are provided for automatic address range detection for an IP network. Flow data is obtained comprising one of the source and destination IP addresses for the flow and one of (a) the other of the source and destination IP addresses and (b) direction data indicative of the flow direction across the network boundary. A tree data structure is generated representing the IP addresses in the flow data. IP addresses with initial portions in common are represented in the tree with at least one node in common. Weights are assigned to nodes in the tree in dependence on occurrences of the represented IP addresses in at least a subset of the flow data. The IP address range of the network is then detected by identifying, in dependence on the assigned weights, the node associated with the last initial address portion common to all IP addresses in the network.

Abstract: A method and system for managing asynchronous transfer mode (ATM) traffic in a computer system is disclosed. The computer system is used in sending, receiving, or sending and receiving a plurality of ATM flows. Each ATM flow has a plurality of ATM cells, a minimum ATM bandwidth guarantee, and a maximum ATM bandwidth. The method and system include determining whether excess bandwidth exists for the ATM flows. The method and system also include gracefully increasing a portion of the ATM cells transmitted for each ATM flow during periods of excess bandwidth. The portion of the ATM cells transmitted is not more than the maximum ATM bandwidth limit. If an ATM flow presents a sufficient offered load, the portion of the ATM cells transmitted in the flow is not less than a minimum ATM bandwidth guarantee.

Abstract: A method for managing attacks in a computer system is disclosed. The computer system is used in sending, receiving, or sending and receiving a plurality of packets, which include a plurality of administrative packets. The method includes determining whether a congestion of the administrative packets exists. Congestion of the administrative packets indicates that a potential attack exists. The method also includes discarding a portion of the plurality of administrative packets if it is declared that the congestion of the administrative packets exists. The portion of the plurality of packets is sufficient to ensure that a remaining portion of the plurality of packets transmitted is not more than a maximum administrative packet bandwidth limit and, if the plurality of administrative packets present a sufficient offered load, not less than a minimum administrative packet bandwidth guarantee.

Abstract: A method for providing a compressed index for a stream of binary data records comprises steps of indexing a field from each record in a bitmap index, compressing stored bits in each column of the bitmap index by replacing a group of successive bits with a code and outputting the code. There is provided at least one of a first code for replacing a sequence of a first filling, a literal and a second filling, and a second code for replacing a sequence of a first literal, a filling and a second literal. In this context, a filling is a sequence of bits with the same value and a literal is a sequence of bits with different values.

Abstract: Methods, systems and computer program products for detecting flow-level network traffic anomalies via abstraction levels. An exemplary embodiment includes a method for detecting flow-level network traffic anomalies in a computer network, the method including obtaining current distributions of flow level traffic features within the computer network, computing distances of the current distributions' components from a distributions model, comparing the distances of the current distributions to distance baselines from the distributions model, determining if the distances are above a pre-determined thresholds and in response to one or more of the distances being above the pre-determined thresholds in one or more distributions, identifying the current condition to be abnormal and providing indications to its nature.

Abstract: For determining a malicious workload pattern, the following steps are conducted. A training set of workload patterns is collected during a predetermined workload situation. A subset of the training set is being determined as an archetype set, the archetype set being considered to be representative of the predetermined workload situation. A threshold value dependent on the training set and the archetype set, and an evaluation value dependent on a given workload pattern and the archetype set are calculated. The given workload pattern is determined to be malicious if the evaluation value fulfils a given condition with respect to the threshold value.

Abstract: A method for probabilistic lossy counting includes: for each element in a current window, determining whether an entry corresponding to a current element is present in a table; in the event an entry corresponding to the current element is present in the table, incrementing a frequency counter associated with the current element; otherwise, inserting an entry into a table, wherein inserting an entry comprises: calculating a probabilistic error bound ? based on an index i of the current window; and inserting the probabilistic error bound ? and a frequency counter into an entry corresponding to the current element in the table; and at the end of the current window, removing all elements from the table wherein the sum of the frequency counter and probabilistic error bound ? associated with the element is less than or equal to the index of the current window.

Abstract: A system and method for monitoring packetized traffic flow in a network and enabling approximation of the rate information of a network flow. The method for monitoring network traffic flow includes receiving, at a network packet flow collector device, packetized traffic flow signals to be monitored; sampling said received packetized traffic flow signals in time to form an approximation of the packet flow rate in time; generating packet flow activity data comprising data representing the sampled traffic flow signals sampled in time; communicating the packet flow activity data to a network packet flow analyzer device and processing the flow activity data to form signals representing an approximate version of the network traffic flow in the network, the analyzer processing the traffic flow signals for reconstructing the rate of the netflow as a function of time.

Abstract: A method of calculating a valley-free shortest path between two autonomous systems having a first graph representing an autonomous system topology and comprising a plurality of nodes and a plurality of links interconnecting the nodes, each link linking a first and a second node of the plurality of nodes. The method comprises generating a second graph using the first graph by: Mapping the nodes of the first graph into the second graph, by representing each node of the first graph by a respective uphill node and a downhill node; mapping each link of the first, second and third relationship type with a plurality of directed links between the uphill and downhill nodes according to the type of relationship. The method further comprises calculating the shortest-path route between two autonomous systems on the second graph, using the shortest-path routing algorithm.

Abstract: A method and an apparatus for classifying a data network connectable computing device as a mobile computing device. Information related to the location of a registering device is determined. The determined location information is compared to a stored location information associated to this device. The device is detected as a mobile device when at least the stored location information is different to the determined location information. Neither the devices themselves nor any access mechanism to the data network have to be changed.

Abstract: A method and system for transmitting packets in a packet switching network. Packets received by a packet processor may be prioritized based on the urgency to process them. Packets that are urgent to be processed may be referred to as real-time packets. Packets that are not urgent to be processed may be referred to as non-real-time packets. Real-time packets have a higher priority to be processed than non-real-time packets. A real-time packet may either be discarded or transmitted into a real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time queue congestion conditions. A non-real-time packet may either be discarded or transmitted into a non-real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time and non-real-time queue congestion conditions.

Abstract: A method and system for transmitting packets in a packet switching network. Packets received by a packet processor may be prioritized based on the urgency to process them. Packets that are urgent to be processed may be referred to as real-time packets. Packets that are not urgent to be processed may be referred to as non-real-time packets. Real-time packets have a higher priority to be processed than non-real-time packets. A real-time packet may either be discarded or transmitted into a real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time queue congestion conditions. A non-real-time packet may either be discarded or transmitted into a non-real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time and non-real-time queue congestion conditions.

Abstract: A method for determination of a network topology includes generating a list of device sets for a destination; removing any duplicate device sets from the list; creating a tree for the destination by introducing a root node into the tree; sorting the list of device sets for the destination by length; removing the shortest device set from the list; introducing a new node representing the shortest device set into the tree; determining whether a node in the tree represents a maximum length subset of the shortest device set, and in the event that a node is determined, connecting the new node to the determined node, or else connecting the new node to the root node; setting the identifier of the introduced node to a list of members of the shortest device set that are not included in the maximum length subset of the determined node.

Abstract: A method for configuring network device adapted to process network traffic comprising a plurality of network flows and to export network flow information. For configuring the network device, a copy of the network traffic that is processed by the network device is created. A simulation of a process of collecting the network flow information using the copy of the network traffic is performed. Based on the results of the simulation, a preferred information collection scheme is determined. The network device is then configured to collect the network flow information to be exported according to the preferred information collection scheme.

Abstract: Systems, methods, and computer program products for extracting port-level information of Web services with flow-based network monitoring. Exemplary embodiments include a method for extracting port-level information of Web services with flow-based network monitoring, the method including identifying a registry machine, coupling the registry machine to a traffic meter and flow monitor dynamically configuring the traffic meter, including exporting a first n bytes of a traffic payload exporting a sub-second traffic flow start and end times, extracting service provider information from traffic flow exports, including analyzing the exported n bytes of the traffic payload to extract port-level information at the flow monitor, extracting a value of an access point element, mapping a logical service provider address to a physical address and inserting the service into a Web Service Provider Registry within the flow meter, thereby populating the Web Service Provider Registry.