Abstract: Packets may be transformed cryptographically or compressively in order to secure network communications and to preserve network bandwidth. The transformations may be applied at more than one protocol layer which can result in unnecessary operations such encrypting or compressing data that is already encrypted. This wastes processing resources. A solution is to selectively apply transformations. A network appliance can receive an initial layer packet for transmission to a network destination. The initial layer header of the initial layer packet can be used to determine an initial state indicator that indicates an initial state (e.g., encrypted, compressed, etc.) of an initial layer payload of the initial layer packet. The initial layer packet can be encapsulated in a subsequent layer packet as a subsequent layer payload. Selectively applying a transform to the subsequent layer payload based on the initial state indicator can avoid the unnecessary operation.

Abstract: In one example, a collection network node comprising a plurality of ingress ports obtains, at a first one of the plurality of ingress ports, a first copy of a packet of a packet flow comprising a plurality of packets. The collection network node determines whether the collection network node had previously obtained a copy of any of the plurality of packets of the packet flow. When it is determined that the collection network node had previously obtained a copy, the collection network node determines whether the collection network node had previously obtained a copy at the first one of the plurality of ingress ports or at a different one of the plurality of ingress ports. When it is determined that the collection network node had previously obtained a copy at a different one of the plurality of ingress ports, the collection network node refrains from forwarding the first copy.

Abstract: Methods and systems for autonomous rule-based task coordination amongst edge devices are disclosed. Embodiments of the present technology may include a method for processing packet traffic at an edge device, the method including determining a side of a communication that corresponds to an edge device with regard to packet traffic. Embodiments may also include applying a task distribution rule to the packet traffic using the determined side of the communication that corresponds to the edge device to determine if a particular task related to the packet traffic should be executed at the edge device. In some embodiments, the task distribution rule is configured to ensure that the particular task is executed at only one side of the communication.

Abstract: In one example embodiment, a network management device obtains a definition of a first network packet header, an identification of a condition indicating that a network packet has the first network packet header, and a definition of processing action information that includes a key and a processing action to be taken on the network packet when metadata in the network packet matches the key. The network management device merges custom network packet processing instructions written in a data plane programming language with pre-existing network packet processing instructions written in the data plane programming language to produce merged network packet processing instructions written in the data plane programming language. The custom network packet processing instructions define the first network packet header, identify the condition, and define the processing action information. The network management device provides the merged network packet processing instructions for execution by a network node.

Abstract: In one example, a collection network node comprising a plurality of ingress ports obtains, at a first one of the plurality of ingress ports, a first copy of a packet of a packet flow comprising a plurality of packets. The collection network node determines whether the collection network node had previously obtained a copy of any of the plurality of packets of the packet flow. When it is determined that the collection network node had previously obtained a copy, the collection network node determines whether the collection network node had previously obtained a copy at the first one of the plurality of ingress ports or at a different one of the plurality of ingress ports. When it is determined that the collection network node had previously obtained a copy at a different one of the plurality of ingress ports, the collection network node refrains from forwarding the first copy.

Abstract: In one example, a collection network node comprising a plurality of ingress ports obtains, at a first one of the plurality of ingress ports, a first copy of a packet of a packet flow comprising a plurality of packets. The collection network node determines whether the collection network node had previously obtained a copy of any of the plurality of packets of the packet flow. When it is determined that the collection network node had previously obtained a copy, the collection network node determines whether the collection network node had previously obtained a copy at the first one of the plurality of ingress ports or at a different one of the plurality of ingress ports. When it is determined that the collection network node had previously obtained a copy at a different one of the plurality of ingress ports, the collection network node refrains from forwarding the first copy.

Abstract: A method for inferring a user interest from geo data items associated with the user. The method includes retrieving point-of-interests (PoIs) from a PoI information repository based on the geo data items, generating a weighted count of the PoI for each geo data item that is weighted based on an attribute of the geo data item, and aggregating the weighted count across all geo data items to generate a score of the PoI, wherein the interest level of the user is inferred based at least on the score of the PoI.

Abstract: In one embodiment, a device in a network receives one or more data units. The device calculates a hash value based on the one or more data units and using a hash function. Ranges of hash values generated by the hash function are assigned to different devices along the path such that any given hash value generated by the hash function is assigned to a predefined number of the devices along the path. The device determines whether the calculated hash value is within the range of hash values assigned to the device. The device stores data derived from the one or more data units, when the device determines that the calculated hash value is within the range of hash values assigned to the device.

Abstract: In one example, a collection network node comprising a plurality of ingress ports obtains, at a first one of the plurality of ingress ports, a first copy of a packet of a packet flow comprising a plurality of packets. The collection network node determines whether the collection network node had previously obtained a copy of any of the plurality of packets of the packet flow. When it is determined that the collection network node had previously obtained a copy, the collection network node determines whether the collection network node had previously obtained a copy at the first one of the plurality of ingress ports or at a different one of the plurality of ingress ports. When it is determined that the collection network node had previously obtained a copy at a different one of the plurality of ingress ports, the collection network node refrains from forwarding the first copy.

Abstract: A method for profiling network traffic. The method includes capturing, from the network traffic using a packet capturing device, a plurality of packets, identifying a first portion of the plurality of packets as a first flow based at least on a common Internet Protocol (IP) address assigned to each packet of the first flow by a network address translation (NAT) device, extracting, by a hardware processor separate from the NAT device and based on an NAT profile of the NAT device, a first data item from the first flow, wherein the first data item is inserted into the first flow by the NAT device for identifying a first host device coupled to the NAT device, and determining, by the hardware processor based on the first data item, that the first flow is generated by the first host device.

Abstract: In an example embodiment, a Software Defined Networking (SDN) application identifies a domain based on a destination address of a packet that is associated with a primary service. The domain corresponds to the primary service, and the primary service is configured to trigger one or more support flows from one or more ancillary services. The SDN application identifies the one or more support flows based on the domain, and generates one or more rules for distribution to one or more network elements that handle packets of the one or more support flows from the one or more ancillary services.

Abstract: A method for classifying network traffic in a network. The method includes obtaining, from an application distribution source, an application distribution data set of comprising information associated with distributing an application from the pre-determined application distribution source, extracting, based on a pre-determined extraction criterion, a token from the application distribution data set of the application, obtaining, from the network traffic, a plurality of flows generated by the application, extracting, in response to detecting the token in a flow of the plurality of flows, context information associated with the token in the flow, and generating an identification rule of the application based on the token and the context information, wherein the identification rule describes one or more rule steps to locate the token in the flow, wherein the network traffic is classified using at least the identification rule.

Abstract: Embodiments of the invention provide a method, system, and computer readable medium for classifying network traffic based on application signatures generated during a training phase. The application signatures are generated based on tokens extracted from a training set that is generated by a particular application during the training phase. Accordingly, a new token extracted in real-time from current network data is compared to the application signatures to determine if the current network data is generated by the particular application.

Abstract: A method for applying a user-specific policy in a network. The method includes identifying a historical portion of network traffic of the network as associated with a user, analyzing, by a computer processor, the historical portion of network traffic to generate a fingerprint of the user, wherein the fingerprint represents characteristics of user activity in the network, identifying, by the computer processor, an ongoing portion of network traffic of the network as associated with the user, analyzing, by the computer processor and based on the fingerprint, the ongoing portion of network traffic to determine a match, wherein the match is determined at a time point within the ongoing portion of network traffic, and applying, in response to determining the match, the user-specific policy to the ongoing portion of network traffic subsequent to the time point.

Abstract: Presented herein are network traffic/flow monitoring techniques for identifying a primary/core domain that is representative of the service being accessed by a series/set of network flows, and grouping networking traffic flows that result from the user's accessing of the core domain. In one example, a plurality of core domains each corresponding to a primary web service configured to be directly accessed by network flows via one or more networks is identified. For each of the plurality of core domains, one or more models of traffic activity resulting from access to the corresponding primary web service by a network flow is generated. Based on the models of traffic activity, real-time network traffic flows are associated to a selected one of the core domains.

Abstract: A method for profiling network traffic. The method includes capturing, from the network traffic using a packet capturing device, a plurality of packets, identifying a first portion of the plurality of packets as a first flow based at least on a common Internet Protocol (IP) address assigned to each packet of the first flow by a network address translation (NAT) device, extracting, by a hardware processor separate from the NAT device and based on an NAT profile of the NAT device, a first data item from the first flow, wherein the first data item is inserted into the first flow by the NAT device for identifying a first host device coupled to the NAT device, and determining, by the hardware processor based on the first data item, that the first flow is generated by the first host device.

Abstract: In one embodiment, a device in a network receives one or more data units. The device calculates a hash value based on the one or more data units and using a hash function. Ranges of hash values generated by the hash function are assigned to different devices along the path such that any given hash value generated by the hash function is assigned to a predefined number of the devices along the path. The device determines whether the calculated hash value is within the range of hash values assigned to the device. The device stores data derived from the one or more data units, when the device determines that the calculated hash value is within the range of hash values assigned to to the device.

Abstract: A method for profiling network traffic. The method includes capturing, from the network traffic using a packet capturing device, a plurality of packets, identifying a first portion of the plurality of packets as a first flow based at least on a common Internet Protocol (IP) address assigned to each packet of the first flow by a network address translation (NAT) device, extracting, by a hardware processor separate from the NAT device and based on an NAT profile of the NAT device, a first data item from the first flow, wherein the first data item is inserted into the first flow by the NAT device for identifying a first host device coupled to the NAT device, and determining, by the hardware processor based on the first data item, that the first flow is generated by the first host device.

Abstract: In an example embodiment, a Software Defined Networking (SDN) application identifies a domain based on a destination address of a packet that is associated with a primary service. The domain corresponds to the primary service, and the primary service is configured to trigger one or more support flows from one or more ancillary services. The SDN application identifies the one or more support flows based on the domain, and generates one or more rules for distribution to one or more network elements that handle packets of the one or more support flows from the one or more ancillary services.

Abstract: A method for profiling network traffic. The method includes capturing, from the network traffic using a packet capturing device, a plurality of packets, identifying a first portion of the plurality of packets as a first flow based at least on a common Internet Protocol (IP) address assigned to each packet of the first flow by a network address translation (NAT) device, extracting, by a hardware processor separate from the NAT device and based on an NAT profile of the NAT device, a first data item from the first flow, wherein the first data item is inserted into the first flow by the NAT device for identifying a first host device coupled to the NAT device, and determining, by the hardware processor based on the first data item, that the first flow is generated by the first host device.