Abstract: A system has a firewall ingress node carrying network traffic. An attack injector creates a network attack flow on the firewall ingress node and thereby forms with the network traffic a composite firewall input signal on the firewall ingress node. A firewall egress node carries a response signal corresponding to the composite firewall input signal. A network monitor is connected to the firewall ingress node and the firewall egress node. The network monitor includes a homodyne detector to multiply the response signal by an oscillating driver signal to form a product that is integrated over time to form a homodyne detector response signal that is larger when the homodyne detector response signal has some component with the same frequency as the oscillating driver signal.

Abstract: A system has a packet switch for routing network traffic. The packet switch includes a system counter to increment a counter time in predetermined time segments, time stamping logic to associate a received packet with the counter time, and an interval discriminator to assign a received packet to a selected interval counter of a set of interval counters based upon the counter time. A computer is connected to the packet switch. The computer has a memory with instructions executed by a processor to associate the counter time with a time of day, and collect values from the set of interval counters to generate network traffic activity data.

Abstract: A non-transitory computer readable storage medium has instructions executed by a processor to receive network session information from network monitoring devices distributed throughout an enterprise network. The network session information characterizes communications between a client device within the enterprise network and a server external to the enterprise network. The network session information is transformed into vectors of network communication session parameters. The vectors are combined into different time series of data. A similarity measure is computed between the different time series of data to detect unique sessions between the client device and a middlebox network device within the enterprise network or unique sessions between a middle box network device within the enterprise network and the server. The unique sessions are evaluated to infer relationships between networked devices within the enterprise network.

Abstract: A machine has a processor and a memory connected to the processor. The memory stores instructions executed by the processor to evaluate internal packets from a first side of a network address translator with a first internet protocol address and a first port designation. External packets from a second side of a network address translator with a second internet protocol address and a second port designation are evaluated. A session start packet match is identified within the internal packets and the external packets. A session entry with a session start time is created in response to the session start packet match. A session end match is identified within the internal packets and the external packets. A session end time is recorded in response to the session end match.

Abstract: A machine has a processor and a memory connected to the processor. The memory stores instructions executed by the processor to collect from network connected devices key performance indicators characterizing network traffic information. The key performance indicators are aggregated into a time segment for a current weekday. Key performance indicators for the time segment for the current weekday are compared to corresponding key performance indicators for time segments from previous weekdays. The corresponding key performance indicators for time segments from previous weekdays establish a network behavior baseline. An alert is produced when the key performance indicators for the time segments for the current weekday exceed a deviation threshold from the network behavior baseline.

Abstract: A machine has a processor and a memory connected to the processor. The memory stores instructions executed by the processor to observe network packet exchanges between virtualized resources. Key performance indicators characterizing packet information and connection information are generated from the packet exchanges. The key performance indicators are routed to a network connected device.

Abstract: A system for network monitoring and network traffic analysis includes a plurality of network devices and a management station. Each of the plurality of network devices is associated with corresponding ones of a plurality of ports. Each of the plurality of network devices is configured to determine network traffic analysis data associated with a characteristic of network data traversing each of the plurality of ports. The management station is configured to determine a ranking of the plurality of ports based on the network traffic analysis data in response to a search request implicating the characteristic, and is configured to display the plurality of ports based on the ranking.

Abstract: A system for monitoring and visualization of network data includes a plurality of first devices and a second device coupled to the plurality of first devices over a network. Each first device is associated with corresponding ones of a plurality of ports. Each first device is configured to determine network traffic analysis information associated with a characteristic of network data traversing each of the ports, and to push the network traffic analysis information across a network independent of a solicitation from the network. The second device is configured to generate a map of the network including a visual indicator based on the network traffic analysis information, to receive an update of the network traffic analysis information from at least one of the first devices, and to refresh the visual indicator in real time to reflect the update of the network traffic analysis information.

Abstract: A system includes a first device and a second device configured to monitor a plurality of data flows traversing the second device. The second device is configured to collect statistics associated with the plurality of data flows, and includes traffic analysis logic that is configured to augment the plurality of data flows with data including statistical information based on the statistics and address information associated with the first device. The first device is configured to receive the data. The traffic analysis logic is operable to push the statistical information to the first device independently of a real-time request for at least a portion of the statistical information from the first device. The traffic analysis logic is configurable based on at least the address information.

Abstract: A system for monitoring and visualization of network data includes a plurality of first devices and a second device coupled to the plurality of first devices over a network. Each first device is associated with corresponding ones of a plurality of ports. Each first device is configured to determine network traffic analysis information associated with a characteristic of network data traversing each of the ports, and to push the network traffic analysis information across a network independent of a solicitation from the network. The second device is configured to generate a map of the network including a visual indicator based on the network traffic analysis information, to receive an update of the network traffic analysis information from at least one of the first devices, and to refresh the visual indicator in real time to reflect the update of the network traffic analysis information.

Abstract: An apparatus includes a plurality of microcode controlled state machines and a first circuit. At least one of the microcode controlled state machines is configured to process network data received by the apparatus and to apply a first rule to the network data to produce an associated output indicating a first characteristic of at least a portion of the network data. The first circuit is configured to store a first portion of the network data received by the apparatus prior to the determination of the first characteristic, and to store a second portion of the network data received by the apparatus subsequent to the determination of the first characteristic. The first circuit is also configured to preserve the first portion and the second portion of the network data in response to the determination of the first characteristic.

Abstract: A system includes a first device and a second device configured to monitor a plurality of data flows traversing the second device. The second device is configured to collect statistics associated with the plurality of data flows, and includes traffic analysis logic that is configured to augment the plurality of data flows with data including statistical information based on the statistics and address information associated with the first device. The first device is configured to receive the data. The traffic analysis logic is operable to push the statistical information to the first device independently of a real-time request for at least a portion of the statistical information from the first device. The traffic analysis logic is configurable based on at least the address information.

Abstract: A system includes a first device and a second device. The first device includes traffic analysis logic configured to process first data measured over each of a plurality of time intervals of a first time granularity to obtain second data associated with each of a plurality of time intervals of a second time granularity. The first time granularity is finer than the second time granularity. The second device is configured to receive and display the second data. The traffic analysis logic is configurable responsive to the second device to reduce a volume of the first data to obtain the second data such that an indication of a feature in the first data is maintained in the second data, where the feature would be obscured if the second data were based on an aggregate of the first data over each of the plurality of time intervals of the second time granularity.

Abstract: An apparatus includes microcode controlled state machines, data reduction logic, and push logic. At least one of the microcode controlled state machines is configured to generate first statistical data measured over time intervals of a first time granularity based on network data included in each of multiple data flows traversing the at least one of the microcode controlled state machines. The data reduction logic is configured to receive the first statistical data, and to obtain second statistical data having a volume reduced from a volume of the first statistical data based on performance of a mathematical operation on the first statistical data. The second statistical data is associated with time intervals of a second time granularity. The first time granularity is finer than the second time granularity. The push logic is configured to push the second statistical data across a network independent of a real-time request from the network.

Abstract: A system for network monitoring and network traffic analysis includes a plurality of network devices and a management station. Each of the plurality of network devices is associated with corresponding ones of a plurality of ports. Each of the plurality of network devices is configured to determine network traffic analysis data associated with a characteristic of network data traversing each of the plurality of ports. The management station is configured to determine a ranking of the plurality of ports based on the network traffic analysis data in response to a search request implicating the characteristic, and is configured to display the plurality of ports based on the ranking.

Abstract: An apparatus is described that performs prioritized matching through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a plurality of microcode controlled state machines, and a distribution circuit that routes input data to the plurality of microcode controlled state machines, such that the plurality of microcode controlled state machines apply rules to the input data to determine matches and produce priority indicators, wherein each match has an associated priority indicator. At least one of the matches is selected based on the priority indicators. Advantageously, the apparatus provides an architectural framework well suited to a low cost, high speed, robust implementation of flexible, advanced network security and monitoring features and network traffic analysis.

Abstract: An apparatus is described that performs biased and weighted sampling of network traffic to facilitate network monitoring. One embodiment of the apparatus includes a plurality of microcode controlled state machines, and a distribution circuit that routes input data to the plurality of microcode controlled state machines. A first individual microcode controlled state machine applies a first rule to the input data to determine first instructions associated with a first subset of the input data based on first sampling information associated with the first rule. A second individual microcode controlled state machine applies a second rule to the input data to determine second instructions associated with a second subset of the input data based on second sampling information associated with the second rule. The second sampling information differs from the first sampling information.

Abstract: An apparatus is described that associates categorization information with network traffic to facilitate application level processing through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a plurality of microcode controlled state machines, wherein at least one microcode state machine processes at least one input data field using a hash function to generate a hash identifier. This embodiment further includes a distribution circuit that routes input data to the plurality of microcode controlled state machines, such that at least one individual microcode controlled state machine applies a rule to the input data to produce the at least one input data field, and to produce modification instructions based on the hash identifier.

Abstract: An apparatus that facilitates network security for input network traffic includes microcode controlled state machines, each of which includes a computation kernel. Rules applied to a network traffic segment are distributed across the computation kernels. At least two of the computation kernels include condition logic configured by microcode stored in an associated control store to evaluate a unique configured rule in microcode to produce modification instructions. A distribution circuit routes the network traffic segment to each of the microcode controlled state machines. A circuit generates a modification command by combining the modification instructions from each of the at least two computation kernels, and performs a modification of the input network traffic based on the modification command to produce modified output network traffic that facilitates network security.

Abstract: An embodiment of an apparatus that facilitates network security and traffic monitoring for input network traffic includes a plurality of microcode controlled state machines, each of which includes a computation kernel. A plurality of rules applied to a network traffic segment are distributed across the computation kernels. Each of the computation kernels includes condition logic configured by microcode stored in an associated control store to evaluate a unique configured rule in the microcode to produce an associated output. A distribution circuit routes the network traffic segment to each of the plurality of microcode controlled state machines. An aggregation circuit generates a decision on which forwarding of the network traffic segment is based, where the decision is a logical combination of the associated output of each of the computation kernels.