Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). NMCs may determine requests provided to a server based on a first portion of network traffic. NMCs may determine suspicious requests based on characteristics of the provided requests. NMCs may employ the characteristics of the suspicious requests to provide correlation information that is associated with the suspicious requests. NMCs may determine dependent actions associated with the server based on a second portion of the network traffic and the correlation information. And, in response to determining anomalous activity associated with the evaluation of the dependent actions, NMCs may provide reports associated with the anomalous activity.

Abstract: Embodiments are directed monitoring network traffic using network monitoring computers. Metrics may be determined based on monitoring network traffic associated with entities in the network such that the metrics may be included in profiles associated each entity. The profiles may be compared with other profiles in a context database based on the metrics included in each profile and each other profile. In response to the profiles being unmatched by other profiles one or more active probes may be performed to collect other metrics that may be used to update profiles. In response to the one or more profiles being matched by the other profiles in the context database, a timestamp associated with the other profiles may be updated to a current time value. Reports that include information associated with the entities and the profiles or the updated profiles may be generated.

Abstract: Embodiments are directed monitoring network traffic using network monitoring computers. Metrics may be determined based on monitoring network traffic associated with entities in the network such that the metrics may be included in profiles associated each entity. The profiles may be compared with other profiles in a context database based on the metrics included in each profile and each other profile. In response to the profiles being unmatched by other profiles one or more active probes may be performed to collect other metrics that may be used to update profiles. In response to the one or more profiles being matched by the other profiles in the context database, a timestamp associated with the other profiles may be updated to a current time value. Reports that include information associated with the entities and the profiles or the updated profiles may be generated.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). NMCs may determine requests provided to a server based on a first portion of network traffic. NMCs may determine suspicious requests based on characteristics of the provided requests. NMCs may employ the characteristics of the suspicious requests to provide correlation information that is associated with the suspicious requests. NMCs may determine dependent actions associated with the server based on a second portion of the network traffic and the correlation information. And, in response to determining anomalous activity associated with the evaluation of the dependent actions, NMCs may provide reports associated with the anomalous activity.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). NMCs may determine requests provided to a server based on a first portion of network traffic. NMCs may determine suspicious requests based on characteristics of the provided requests. NMCs may employ the characteristics of the suspicious requests to provide correlation information that is associated with the suspicious requests. NMCs may determine dependent actions associated with the server based on a second portion of the network traffic and the correlation information. And, in response to determining anomalous activity associated with the evaluation of the dependent actions, NMCs may provide reports associated with the anomalous activity.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). NMCs may determine requests provided to a server based on a first portion of network traffic. NMCs may determine suspicious requests based on characteristics of the provided requests. NMCs may employ the characteristics of the suspicious requests to provide correlation information that is associated with the suspicious requests. NMCs may determine dependent actions associated with the server based on a second portion of the network traffic and the correlation information. And, in response to determining anomalous activity associated with the evaluation of the dependent actions, NMCs may provide reports associated with the anomalous activity.

Abstract: Embodiments are directed to monitoring flows of packets over a network. If a network monitoring computer (NMC) in a cluster of NMCs observes a new network flow, the NMC may perform a variety of actions to determine the NMC that is responsible for monitoring the new network flow. Network traffic associated with the new network flow may be buffered in a non-transitory processor readable media. The new network flow may be registered with the plurality of NMCs, providing an identifier that corresponds to one NMC. Registering may include, assigning the NMC a responsibility to monitor the new network flow. If the identifier corresponds to the NMC that observed the new network flow, the network traffic associated with the new network flow is processed using that NMC. If the identifier corresponds to another NMC, the buffered network traffic is forwarded to the other NMC.

Abstract: The various embodiments provide selective real-time monitoring of one or more flows of packets over a network, real-time buffering of packets for the one or more monitored flows, real-time recording of packets for one or more monitored flows and its corresponding buffered packets based on initiation of at least one trigger, and real-time analysis of the one or more recorded flows of packets regarding at least the occurrence of the at least one trigger. One or more flows of packets may be selected for monitoring by an administrator or an automated process based on different factors. In at least one of the various embodiments, the one or more monitored flows of packets are tagged and threaded so that they are separately accessible in a ring buffer.

Abstract: The various embodiments provide selective real-time monitoring of one or more flows of packets over a network, real-time buffering of packets for the one or more monitored flows, real-time recording of packets for one or more monitored flows and its corresponding buffered packets based on initiation of at least one trigger, and real-time analysis of the one or more recorded flows of packets regarding at least the occurrence of the at least one trigger. One or more flows of packets may be selected for monitoring by an administrator or an automated process based on different factors. In at least one of the various embodiments, the one or more monitored flows of packets are tagged and threaded so that they are separately accessible in a ring buffer.

Abstract: The various embodiments provide selective real-time monitoring of one or more flows of packets over a network, real-time buffering of packets for the one or more monitored flows, real-time recording of packets for one or more monitored flows and its corresponding buffered packets based on initiation of at least one trigger, and real-time analysis of the one or more recorded flows of packets regarding at least the occurrence of the at least one trigger. One or more flows of packets may be selected for monitoring by an administrator or an automated process based on different factors. In at least one of the various embodiments, the one or more monitored flows of packets are tagged and threaded so that they are separately accessible in a ring buffer.

Abstract: The various embodiments provide selective real-time monitoring of one or more flows of packets over a network, real-time buffering of packets for the one or more monitored flows, real-time recording of packets for one or more monitored flows and its corresponding buffered packets based on initiation of at least one trigger, and real-time analysis of the one or more recorded flows of packets regarding at least the occurrence of the at least one trigger. One or more flows of packets may be selected for monitoring by an administrator or an automated process based on different factors. In at least one of the various embodiments, the one or more monitored flows of packets are tagged and threaded so that they are separately accessible in a ring buffer.