Abstract: A system and method is provided for detecting, tracking and/or blocking control signal attacks, which can occur between local computer systems and/or between remote computer systems, network links, and/or routing systems over a computer network. The system includes a router monitor adapted to receive a plurality of control signals and related information from the computer network and to process the plurality of control signals and related information to detect one or more control signal anomalies. The router monitor is further adapted to generate a plurality of alert signals representing the one or more control signal anomalies. The system further includes a controller that is coupled to the router monitor and is adapted to receive the plurality of alert signals from the router monitor.

Abstract: Technique for protecting a communications network, such a computer network, from attack such as self-propagating code violations of security policies, in which the network is divided into “compartments” that are separated by access control devices such as firewalls. The access control devices are then used to stop the spread of self-propagating attack code, the “zero-day” worms, for example. However, the access control devices are configured such that upon activation legitimate in-use network services will not be jeopardized.

Abstract: A scalable flow monitoring solution takes in standard flow records exported from network devices such as routers, switches, firewalls, hubs, etc., and annotates the flow with additional information. This information is derived from a number of sources, including Border Gateway Protocol (BGP), Simple Network Management Protocol (SNMP), user configuration, and other, intelligent flow analysis. These annotations add information to the flow data, and can be used to perform value-added flow analysis. The annotated flow is then resent to a configurable set of destinations using standard flow formatting, e.g., Cisco System Inc.'s NetFlow, in one implementation. This allows the annotated flow to be processed and the enhanced information to be used by other flow analysis tools and existing flow analysis infrastructure.

Abstract: In one aspect, it is realized that changes in routing configuration (and therefore network topology) may have an effect on how data is forwarded in a communication network. More particularly, it is realized the changes in the control plane have a statistical effect on information tracked in the data plane, and this relation may be used by a network manager in monitoring the network and determining a control plane cause of a data plane forwarding effect. For instance, a change in BGP routing information (control plane information) may affect the data forwarded by a router based on the changed BGP routing information (e.g., next hop data may be forwarded to a different BGP router attached to another physical port). A system and method are provided that correlate control plane and data plane information to support root cause analysis functions.

Abstract: One or more networking apparatuses are employed to practice a networking method that improves a first networking device's likelihood in meeting its service level goals/commitments for a first group of network traffic serviced by the first networking device. Determination is made, away from the networking device, on whether the first network device is meeting the service level goals/commitments for the first group of network traffic. Determination may include monitoring the first group of network traffic at or away from the networking device. If the service level goals/commitments are not being met, a second group of network traffic (also serviced by the first networking device) is regulated. Regulation may be made at the networking device or away from the network device. Additionally, if the condition for regulation is no longer presents, regulation may be moderated or removed. Further, the service level goals/commitments may include reliability and/or performance goals/commitments.

Abstract: A director is provided to receive source address instances of packets routed through routing devices of a network. The director determines whether any of the reported source address instances are to be deemed as spoof source address instances. The director further determines where filtering actions are to be deployed to filter out packets having certain source addresses deemed to be spoof instances. The director makes its determinations based at least in part on a selected one of a number of consistency measures. The consistency measures may include but are not limited to spatial consistency, destination consistency, migration consistency, and temporary consistency. The consistency measures are evaluated using spatial, destination source address range, migration and timing S/D/M/T distribution profiles of the reported source addresses.

Abstract: A system and method are provided for monitoring traffic in an enterprise network. Similar hosts may be grouped using flow information. Network policy may then be created at the group level based on the signatures of the hosts and groups of hosts in the enterprise. Hosts may be arranged in hierarchical clusters. Some of these clusters may be selected as groups based on a desired degree of similarity between hosts in a group. The similarity between hosts may be determined based on similarity of network behavior of the hosts.

Abstract: A number of sensors are distributively deployed in a network, either integrally disposed in a number of routing devices of the network or externally disposed and coupled to the routing devices, to monitor and report on network traffic routed through the routing devices. A director is provided to receive network traffic reports from the sensors for the routing devices, and to determine whether moderating actions are to be taken to moderate an amount of network traffic, based at least in part on some of the network traffic reports received from the sensors. In one embodiment, upon determining moderating actions are to be taken, the director further determines what kind of moderating actions are to be taken, including where the moderating actions are to be taken. In one embodiment, the director further instructs appropriate ones of the sensors to cause the desired moderating actions to be applied on the network traffic going through some of the routing devices.

Abstract: An apparatus is equipped to receive descriptive data for network traffic. In one embodiment, the apparatus is equipped to conditionally modify timing data of the network traffic to conform the timing data to the timing patterns of previously network traffic, when determined that the timing data of the network traffic are aberrations. Further, the apparatus is equipped with a query facility that supports a network oriented query language. The language includes specific network oriented language elements.

Abstract: Technique for protecting a communications network, such a computer network, from attack such as self-propagating code violations of security policies, in which the network is divided into “compartments” that are separated by access control devices such as firewalls. The access control devices are then used to stop the spread of self-propagating attack code, the “zero-day” worms, for example. However, the access control devices are configured such that upon activation legitimate in-use network services will not be jeopardized.

Abstract: An apparatus is equipped to receive network traffic data for network traffic routed through a number of routing devices with one or more degrees of separation from a network node. The network traffic data include at least network traffic data for network traffic destined for the network node which meet a traffic type selection criteria and are routed by the routing devices to the network node. The apparatus is further equipped to progressively regulate and de-regulate network traffic routing by the routing devices based at least in part on the received network traffic data and the degrees of separation of the routing devices from the network node. Regulation extends from routing devices with the lowest degree of separation from the network node to routing devices with the highest degree of separation, following in the reverse direction of the routing paths traversed by the packets to reach the network node. In one embodiment, the extension or push back is made one degree of separation at a time.

Abstract: Technique for protecting a communications network, such a computer network, from attack such as self-propagating code violations of security policies, in which the network is divided into “compartments” that are separated by access control devices such as firewalls. The access control devices are then used to stop the spread of self-propagating attack code, the “zero-day” worms, for example. However, the access control devices are configured such that upon activation legitimate in-use network services will not be jeopardized.

Abstract: An apparatus is equipped to receive network traffic data for network traffic routed through a number of routing devices with one or more degrees of separation from a network node. The network traffic data include at least network traffic data for network traffic destined for the network node which meet a traffic type selection criteria and are routed by the routing devices to the network node. The apparatus is further equipped to progressively regulate and de-regulate network traffic routing by the routing devices based at least in part on the received network traffic data and the degrees of separation of the routing devices from the network node. Regulation extends from routing devices with the lowest degree of separation from the network node to routing devices with the highest degree of separation, following in the reverse direction of the routing paths traversed by the packets to reach the network node. In one embodiment, the extension or push back is made one degree of separation at a time.