Abstract: A system and method in which one or more probing transactions are performed by transferring respective amounts of a cryptocurrency to one or more cryptocurrency addresses. The system then monitors and ascertains communications traffic exchanged with one or more IP addresses and that at least one of the probing transactions was downloaded to a particular IP address. The system then generates an output that can indicate an association between a cryptocurrency address of interest and the particular IP address.

Abstract: Methods and systems to identify the domain names that can potentially be used for delivering instructions to a bot, before bots on a computer network succeed in obtaining the instructions. The system maintains a device rating for each device that reflects a likelihood that the device is infected by malware. The system also maintains a domain-name rating for each device that reflects a likelihood that the domain name is malicious. When a device attempts to access a particular domain name, the domain-name rating of the domain name is updated in light of the device rating of the device, and/or update the device rating of the device in light of the domain-name rating.

Abstract: Systems and methods to track the respective locations of subjects over time. The system identifies subjects who, overtime, were co-located with one another suggesting they are associated with one another, and the pairs are analyzed. For each of the subjects, the system produces a vector that quantifies the subject's location history by including a respective weight for each combination of a time interval with a geographical area. The vectors are compared using a distance metric, and any pair of subjects whose vectors are sufficiently close are flagged as being an associated pair. The respective vector belonging to each subject is normalized to account for the total number of other subjects who were co-located with the subject. For each interval-area pair, the system may compute the frequency of the interval-area pair, and then divide each weight that corresponds to the interval-area pair by the frequency of the interval-area pair.

Abstract: A method of workforce optimization includes acquiring video data. The video data is obtained from a plurality of video cameras in a facility comprising a plurality of departments. A customer load for each of the plurality of departments is identified. A location of each of a plurality of employees in the facility is identified. A customer-to-employee ratio is determined for each department. The determined customer-to-employee ratio for each department is provided to a computing device. At least one employee deployment notification is provided from the computing device to another computing device.

Abstract: A monitoring system that receives messages that are exchanged with the application server. Relationships between users are posited in response to the times at which the messages are received. A relationship between two users may be posited in response to receiving, at approximately the same time, two messages from the application server that are destined, respectively, for the two users. The near-simultaneous receipt of the two messages indicates that the two messages were sent from the server at approximately the same time, which, in turn, indicates that the two messages may correlate with one another. Further indication of a correlation between the messages, which may increase the level of confidence with which the relationship between the two users is posited, may be found by examining the respective sizes of the messages, which indicate the message types.

Abstract: Methods and systems for storing and managing large numbers of small files. A data processing system includes clients that generate large numbers be stored on a storage device managed by a File System (FS). An Archive Server (AS) receives multiple files from the client, archives the files in larger archives, and sends the archives to the FS for storage. When requested to read a file, the AS retrieves the archive in which the file is stored, extracts the file and sends it to the requesting client. In other words, the AS communicates with the clients in individual file units, and with the storage device in archive units. The AS is typically constructed as an add-on layer on top of a conventional FS, which enables the FS to handle small files efficiently without modification.

Abstract: Methods and systems for range matching. The system holds a definition of one or more ranges of Internet Protocol (IP) addresses. The definition may specify any desired number of ranges of any suitable size, and some ranges may overlap one another or be contained in one another. The definition may also specify certain returned values and/or relative priorities for the various ranges. In a pre-processing phase, a hash table that is subsequently queried with addresses to be range-matched. The hash table may be updated at run-time. During operation, the system receives addresses (e.g., extracts addresses from monitored communication traffic) and identifies by querying the hash table, for each address, whether the address falls within any of the ranges.

Abstract: A system for storing document collections in a manner that facilitates efficient querying. Each document vector is hashed, by applying a suitable hash function to the components of the vector. The hash function maps the vector to a particular hash value, corresponding to a particular hyperbox in the multidimensional space to which the vectors belong. The vector, or a pointer to the vector, is then stored in a hash table in association with the vector's hash value. Subsequently, given a document of interest, documents similar to the document of interest may be found by hashing the vector of the document of interest, and then returning the vectors that are associated, in the hash table, with the resulting hash value.

Abstract: A traffic-monitoring system that monitors encrypted traffic exchanged between IP addresses used by devices and a network, and further receives the user-action details that are passed over the network. By correlating between the times at which the encrypted traffic is exchanged and the times at which the user-action details are received, the system associates the user-action details with the IP addresses. In particular, for each action specified in the user-action details, the system identifies one or more IP addresses that may be the source of the action. Based on the IP addresses, the system may identify one or more users who may have performed the action. The system may correlate between the respective action-times of the encrypted actions and the respective approximate action-times of the indicated actions. The system may hypothesize that the indicated action may correspond to one of the encrypted actions having these action-times.

Abstract: A monitoring system monitors authentication sessions both on the air interface between the terminals and the network, and on at least one wired network-side interface between network-side elements of the network. The monitoring system constructs a database of sets of network-side authentication parameters using network-side monitoring. Each set of network-side authentication parameters originates from a respective authentication session and is associated with the International Mobile Station Identity (IMSI) of the terminal involved in the session. In order to start decrypting the traffic of a given terminal, the system obtains the off-air authentication parameters of that terminal using off-air monitoring, and finds an entry in the database that matches the air-interface authentication parameters. From the combination of correlated network-side and off-air authentication parameters, the processor is able to extract the parameters needed for decryption.

Abstract: The present invention generates a compression invariant motion timeline for a video. For each second in the video, the method uses an identification procedure to determine a stored key frame size, a frame counter, and an accumulated size of frames. The method then calculates and stores a motion value for the second using the stored key frame size, the frame counter, and the accumulated size of frames. The motion values for each second may be used to construct a timeline for the video.

Abstract: Machine learning techniques for classifying encrypted traffic with a high degree of accuracy. The techniques do not require decrypting any traffic and may not require any manually-labeled traffic samples. An automated system uses an application of interest to perform a large number of user actions of various types. The system further records, in a log, the respective times at which the actions were performed. The system further receives the encrypted traffic exchanged between the system and the application server, and records properties of this traffic in a time series. Subsequently, by correlating between the times in the log and the times at which the traffic was received, the system matches each of the user actions with a corresponding portion of the traffic, which is assumed to have been generated by the user action. The system thus automatically builds a labeled training set, which may be used to train a network-traffic classifier.

Abstract: Systems and methods for identifying sequences of encrypted packets that carry files between clients and application servers, and for estimating the sizes of these files. A traffic-monitoring system searches the traffic for connections that appear to carry file content. The system estimates the number of files that were transferred over the connection. Next, the system estimates the respective sizes of one or more of the files that were transferred over the connection. To perform this estimation, the system first “peels away” as many lower-level protocol headers as possible from each of the packets that carries part of the file, and identifies the size that is specified in the lowest-level payload that remains. Next, the system tallies the specified sizes. Finally, the system reduces the packet-size tally to account for an estimated overhead due to the encryption of the packets.

Abstract: An apparatus and techniques for constructing and utilizing a “dynamic dictionary” that is not a compiled dictionary, and therefore does not need to be recompiled in order to be updated. The dynamic dictionary includes respective data structures that represent (i) a management automaton that includes a plurality of management nodes, and (ii) a runtime automaton that is derived from the management automaton and includes a plurality of runtime nodes. The runtime automaton may be used to search input data, such as communication traffic over a network, for keywords of interest, while the management automaton manages the addition of keywords to the dynamic dictionary. Typically, at least two (e.g., exactly two) such dynamic dictionaries are used in combination with a static dictionary.

Abstract: Systems and methods for obtaining authentication vectors issued, for use by a mobile communication terminal, by a Home Location Register (HLR) that serves a cellular communication network independently of any cooperation with the cellular network. Further to obtaining the authentication vectors, a terminal is caused to communicate over a WiFi WLAN using an encryption key derived from the obtained authentication vectors, e.g., per the EAP-SIM or EAP-AKA protocol. Since the encryption key is known, communication from the terminal is decrypted. The authentication vectors may be obtained by (i) an “impersonating” Visitor Location Register (VLR) server that does not serve the cellular network; (ii) an interrogation device which, by imitating a legitimate base station serving the cellular network, solicits the mobile communication terminal to associate with the interrogation device; or (iii) an SS7 probe, which obtains authentication vectors communicated from the HLR server to other entities on the SS7 network.

Abstract: A monitoring system that receives messages that are exchanged with the application server. Relationships between users are posited in response to the times at which the messages are received. A relationship between two users may be posited in response to receiving, at approximately the same time, two messages from the application server that are destined, respectively, for the two users. The near-simultaneous receipt of the two messages indicates that the two messages were sent from the server at approximately the same time, which, in turn, indicates that the two messages may correlate with one another. Further indication of a correlation between the messages, which may increase the level of confidence with which the relationship between the two users is posited, may be found by examining the respective sizes of the messages, which indicate the message types.

Abstract: Systems and methods for passive monitoring of computer communication that does not require performing any decryption. A monitoring system receives the traffic exchanged with each relevant application server, and identifies, in the traffic, sequences of messages—or “n-grams”—that appear to belong to a communication session between a pair of users. Subsequently, based on the numbers and types of identified n-grams, the system identifies each pair of users that are likely to be related to one another via the application, in that these users used the application to communicate (actively and/or passively) with one another. The system may identify those sequences of messages that, by virtue of the sizes of the messages in the sequence, and/or other properties of the messages that are readily discernable, indicate a possible user-pair relationship.

Abstract: An anomaly-detection system that gathers information relating to the relationships between entities and represents these relationships in a graph that interconnects each pair of related entities. The graph may represent a computer network, in which each node corresponds to a respective device in the network and each edge between two nodes indicates that the devices represented by the nodes exchanged communication with one another in the past. the system monitors each of the entities in the graph, by continually computing a single-entity anomaly score (SEAS) for the entity. If the SEAS exceeds a first threshold the system generates an alert. Otherwise, the system checks whether the SEAS exceeds a second, lower threshold. If so, the system computes a subgraph anomaly score (SAS) for the entity's subgraph. If the SAS exceeds a SAS threshold, an alert is generated. By computing the SAS in this manner resources are conserved.

Abstract: Systems and methods for malware detection techniques, which detect malware by identifying the C&C communication between the malware and the remote host. In particular, the disclosed techniques distinguish between request-response transactions that carry C&C communication and request-response transactions of innocent traffic. Individual request-response transactions may be analyzed rather than entire flows, and fine-granularity features examined within the transactions. As such, these methods and systems are highly effective in distinguishing between malware C&C communication and innocent traffic, i.e., in detecting malware with high detection probability and few false alarms.

Abstract: Embodiments for generating appropriate data sets for learning to identify user actions. A user uses one or more applications over a suitable period of time. As the user uses the applications, a monitoring device, acting as a “man-in-the-middle,” intermediates the exchange of encrypted communication between the applications and the servers that serve the applications. The monitoring device obtains, for each action performed by the user, two corresponding (bidirectional) flows of communication: an encrypted flow, and an unencrypted flow. Since the unencrypted flow indicates the type of action that was performed by the user, the correspondence between the encrypted flow and the unencrypted flow may be used to automatically label the encrypted flow, without decrypting the encrypted flow. Features of the encrypted communication may then be stored in association with the label to automatically generate appropriately-sized learning set for each application of interest.