Abstract: A system has a firewall ingress node carrying network traffic. An attack injector creates a network attack flow on the firewall ingress node and thereby forms with the network traffic a composite firewall input signal on the firewall ingress node. A firewall egress node carries a response signal corresponding to the composite firewall input signal. A network monitor is connected to the firewall ingress node and the firewall egress node. The network monitor includes a homodyne detector to multiply the response signal by an oscillating driver signal to form a product that is integrated over time to form a homodyne detector response signal that is larger when the homodyne detector response signal has some component with the same frequency as the oscillating driver signal.

Abstract: A system has a packet switch for routing network traffic. The packet switch includes a system counter to increment a counter time in predetermined time segments, time stamping logic to associate a received packet with the counter time, and an interval discriminator to assign a received packet to a selected interval counter of a set of interval counters based upon the counter time. A computer is connected to the packet switch. The computer has a memory with instructions executed by a processor to associate the counter time with a time of day, and collect values from the set of interval counters to generate network traffic activity data.

Abstract: A non-transitory computer readable storage medium has instructions executed by a processor to receive network session information from network monitoring devices distributed throughout an enterprise network. The network session information characterizes communications between a client device within the enterprise network and a server external to the enterprise network. The network session information is transformed into vectors of network communication session parameters. The vectors are combined into different time series of data. A similarity measure is computed between the different time series of data to detect unique sessions between the client device and a middlebox network device within the enterprise network or unique sessions between a middle box network device within the enterprise network and the server. The unique sessions are evaluated to infer relationships between networked devices within the enterprise network.

Abstract: A machine has a processor and a memory connected to the processor. The memory stores instructions executed by the processor to observe network packet exchanges between virtualized resources. Key performance indicators characterizing packet information and connection information are generated from the packet exchanges. The key performance indicators are routed to a network connected device.

Abstract: A machine has a processor and a memory connected to the processor. The memory stores instructions executed by the processor to evaluate internal packets from a first side of a network address translator with a first internet protocol address and a first port designation. External packets from a second side of a network address translator with a second internet protocol address and a second port designation are evaluated. A session start packet match is identified within the internal packets and the external packets. A session entry with a session start time is created in response to the session start packet match. A session end match is identified within the internal packets and the external packets. A session end time is recorded in response to the session end match.

Abstract: A machine has a processor and a memory connected to the processor. The memory stores instructions executed by the processor to collect from network connected devices key performance indicators characterizing network traffic information. The key performance indicators are aggregated into a time segment for a current weekday. Key performance indicators for the time segment for the current weekday are compared to corresponding key performance indicators for time segments from previous weekdays. The corresponding key performance indicators for time segments from previous weekdays establish a network behavior baseline. An alert is produced when the key performance indicators for the time segments for the current weekday exceed a deviation threshold from the network behavior baseline.

Abstract: A system for monitoring and visualization of network data includes a plurality of first devices and a second device coupled to the plurality of first devices over a network. Each first device is associated with corresponding ones of a plurality of ports. Each first device is configured to determine network traffic analysis information associated with a characteristic of network data traversing each of the ports, and to push the network traffic analysis information across a network independent of a solicitation from the network. The second device is configured to generate a map of the network including a visual indicator based on the network traffic analysis information, to receive an update of the network traffic analysis information from at least one of the first devices, and to refresh the visual indicator in real time to reflect the update of the network traffic analysis information.

Abstract: A system includes a first device and a second device configured to monitor a plurality of data flows traversing the second device. The second device is configured to collect statistics associated with the plurality of data flows, and includes traffic analysis logic that is configured to augment the plurality of data flows with data including statistical information based on the statistics and address information associated with the first device. The first device is configured to receive the data. The traffic analysis logic is operable to push the statistical information to the first device independently of a real-time request for at least a portion of the statistical information from the first device. The traffic analysis logic is configurable based on at least the address information.

Abstract: An apparatus includes a plurality of microcode controlled state machines and a first circuit. At least one of the microcode controlled state machines is configured to process network data received by the apparatus and to apply a first rule to the network data to produce an associated output indicating a first characteristic of at least a portion of the network data. The first circuit is configured to store a first portion of the network data received by the apparatus prior to the determination of the first characteristic, and to store a second portion of the network data received by the apparatus subsequent to the determination of the first characteristic. The first circuit is also configured to preserve the first portion and the second portion of the network data in response to the determination of the first characteristic.

Abstract: An apparatus includes microcode controlled state machines, data reduction logic, and push logic. At least one of the microcode controlled state machines is configured to generate first statistical data measured over time intervals of a first time granularity based on network data included in each of multiple data flows traversing the at least one of the microcode controlled state machines. The data reduction logic is configured to receive the first statistical data, and to obtain second statistical data having a volume reduced from a volume of the first statistical data based on performance of a mathematical operation on the first statistical data. The second statistical data is associated with time intervals of a second time granularity. The first time granularity is finer than the second time granularity. The push logic is configured to push the second statistical data across a network independent of a real-time request from the network.

Abstract: A system for network monitoring and network traffic analysis includes a plurality of network devices and a management station. Each of the plurality of network devices is associated with corresponding ones of a plurality of ports. Each of the plurality of network devices is configured to determine network traffic analysis data associated with a characteristic of network data traversing each of the plurality of ports. The management station is configured to determine a ranking of the plurality of ports based on the network traffic analysis data in response to a search request implicating the characteristic, and is configured to display the plurality of ports based on the ranking.

Abstract: An apparatus is described that performs prioritized matching through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a plurality of microcode controlled state machines, and a distribution circuit that routes input data to the plurality of microcode controlled state machines, such that the plurality of microcode controlled state machines apply rules to the input data to determine matches and produce priority indicators, wherein each match has an associated priority indicator. At least one of the matches is selected based on the priority indicators. Advantageously, the apparatus provides an architectural framework well suited to a low cost, high speed, robust implementation of flexible, advanced network security and monitoring features and network traffic analysis.

Abstract: An apparatus is described that performs biased and weighted sampling of network traffic to facilitate network monitoring. One embodiment of the apparatus includes a plurality of microcode controlled state machines, and a distribution circuit that routes input data to the plurality of microcode controlled state machines. A first individual microcode controlled state machine applies a first rule to the input data to determine first instructions associated with a first subset of the input data based on first sampling information associated with the first rule. A second individual microcode controlled state machine applies a second rule to the input data to determine second instructions associated with a second subset of the input data based on second sampling information associated with the second rule. The second sampling information differs from the first sampling information.

Abstract: An apparatus is described that associates categorization information with network traffic to facilitate application level processing through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a plurality of microcode controlled state machines, wherein at least one microcode state machine processes at least one input data field using a hash function to generate a hash identifier. This embodiment further includes a distribution circuit that routes input data to the plurality of microcode controlled state machines, such that at least one individual microcode controlled state machine applies a rule to the input data to produce the at least one input data field, and to produce modification instructions based on the hash identifier.

Abstract: An apparatus that facilitates network security for input network traffic includes microcode controlled state machines, each of which includes a computation kernel. Rules applied to a network traffic segment are distributed across the computation kernels. At least two of the computation kernels include condition logic configured by microcode stored in an associated control store to evaluate a unique configured rule in microcode to produce modification instructions. A distribution circuit routes the network traffic segment to each of the microcode controlled state machines. A circuit generates a modification command by combining the modification instructions from each of the at least two computation kernels, and performs a modification of the input network traffic based on the modification command to produce modified output network traffic that facilitates network security.

Abstract: An embodiment of an apparatus that facilitates network security and traffic monitoring for input network traffic includes a plurality of microcode controlled state machines, each of which includes a computation kernel. A plurality of rules applied to a network traffic segment are distributed across the computation kernels. Each of the computation kernels includes condition logic configured by microcode stored in an associated control store to evaluate a unique configured rule in the microcode to produce an associated output. A distribution circuit routes the network traffic segment to each of the plurality of microcode controlled state machines. An aggregation circuit generates a decision on which forwarding of the network traffic segment is based, where the decision is a logical combination of the associated output of each of the computation kernels.

Abstract: An apparatus is described that provides security and monitoring in a networking architecture. One embodiment of the apparatus includes a physical layer interface that includes a physical layer receiver and a decoder for converting physical layer data from the physical layer receiver to data link layer information, wherein the decoder processes input data corresponding to the physical layer data based on rules conditioned on higher layer information to generate output data corresponding to the data link layer information; and a controller for provisioning the physical layer interface. Advantageously, the apparatus provides an architectural framework well suited to a low cost, high speed, robust implementation of flexible, advanced network security and monitoring features, traffic management, and network traffic analysis.

Abstract: An apparatus is described that facilitates selective mirroring through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a port included in a set of at least one port, wherein each port in the set receives input traffic, a data processor that processes input data from the set of at least one port to generate mirrored data, based on rules with bitwise granularity across a header and a payload of the input data, and a mirror port selectable from the set of at least one port that transmits output traffic corresponding to the mirrored data. Advantageously, the apparatus provides an architectural framework well suited to a low cost, high speed, robust implementation of selective mirroring that enables flexible, advanced network security and monitoring features and network traffic analysis.

Abstract: A cryptographic processor having an in-line (i.e., “bump-in-the-wire”) architecture processes data packets between a trusted domain and a untrusted domain, according to a predetermined security protocol. The cryptographic processor can be implemented as a stand-alone device, without requiring a change in the configuration of the host machine. Unlike a conventional hardware acceleration of a “bump-in-the-stack” implementation, which is typically implemented as a layer between the native IP layer and the network drivers in an IP protocol stack and uses a single bus interface (e.g., a PCI-X bus) for all data traffic, the cryptographic processor acts as a security gateway, providing separate interfaces for the trusted and the untrusted domains. The cryptographic processor includes pipeline stages for carrying a feedback encryption algorithm with optimal throughput.

Abstract: An apparatus is described that provides security and monitoring in a networking architecture. One embodiment of the apparatus includes a physical layer interface that includes a physical layer receiver and a decoder for converting physical layer data from the physical layer receiver to data link layer information, wherein the decoder processes input data corresponding to the physical layer data based on rules conditioned on higher layer information to generate output data corresponding to the data link layer information; and a controller for provisioning the physical layer interface. Advantageously, the apparatus provides an architectural framework well suited to a low cost, high speed, robust implementation of flexible, advanced network security and monitoring features, traffic management, and network traffic analysis.