Abstract: Embodiments are directed to monitoring network traffic in a network. A network monitoring engine may be employed to monitor the network to provide metric profiles based on a plurality of characteristics associated with one or more network flows. The network monitoring engine may provide profile objects based on the metric profiles. The network monitoring engine may provide the profile objects to a classifier engine. The classifier engine provide trained activity models selected from a plurality of trained activity models that may be based on a ranked ordering of characteristics of the trained activity models and the profile objects. The classifier engine may provide classification results for the profile objects based on the trained activity models. And, the network monitoring engine may execute policies based on the classification results associated with the profile objects.

Abstract: Embodiments are directed to monitoring network traffic over a network. A monitoring engine may monitor flows of network packets in the network. The monitoring engine may determine an observation port that provided the network packets. The monitoring engine may determine primary network packets provided by an authoritative observation port based on which observation port provided the network packets and provide them to an analysis engine. The monitoring engine may discard a remainder of the network packets that may be associated with non-authoritative observation ports. The analysis engine may analyze the one or more primary network packets.

Abstract: Embodiments are directed to monitoring network traffic using a network computer. The network computer provides anomaly information associated with anomalies that may be associated with monitored network traffic. An inference engine may determine the users associated with the anomalies based on the monitored network traffic. A communication channel associated with the users may be determined based on the anomalies and the monitored network traffic such that the communication channel may be separate from the monitored network traffic. The communication channel may be employed to provide investigative agents to the users. Investigative information may be collected from the investigative agents over the communication channel. The inference engine may provide a risk value that is associated with the anomalies based on the investigative information.

Abstract: Embodiments are directed to sharing secure communication secrets with a network monitoring device (NMD). The NMD may passively monitor network packets communicated between client computers and server computers. If a secure communication session is established between a client computer and a server computer, a key provider may provide the NMD a session key that corresponds to the secure communication session. The NMD may buffer each network packet associated with the secure communication session until the NMD is provided a session key for the secure communication session. The NMD may use the session key to decrypt network packets communicated between the client computer and the server computer. The NMD may then proceed to analyze the secure communication session based on the contents of the decrypted network packets.

Abstract: Embodiments are directed to monitoring network traffic. A monitoring engine may monitor network traffic associated with entities in one or more networks. A device relation model may be provided based on the entities and the network traffic. An inference engine associate the entities with privilege levels based on the device relation model based on an amount of access or an amount of control that source entities exert over the target entities. An anomaly engine may determine one or more interactions between the source entities and the target entities based on the monitored network traffic. The anomaly engine may generate escalation events based on the interactions associated with the source entities and the target entities where the target entities have a higher privilege level than the source entities. The anomaly engine may provide the escalation events to one or more users.

Abstract: Embodiments are directed to monitoring network traffic over a network using one or more network monitoring computers. A monitoring engine may be instantiated to perform actions, including: monitoring network traffic to identify client requests provided by clients and server responses provided by servers in response to the client requests; determining request metrics associated with the client requests; and determining response metrics associated with the server responses. An analysis engine may be instantiated that performs actions, including: comparing the request metrics with the response metrics; determining atypical behavior associated with the clients based on the comparison such that the atypical behavior includes an absence of adaption by the clients to changes in the server responses; and providing alerts that may identify the clients be associated with the atypical behavior.

Abstract: Embodiments are directed to monitoring network traffic using network computers. Monitoring triggers associated with one or more conditions and one or more actions may be provided. A monitoring engine may monitor information that is associated with network traffic associated with networks based on an inspection detail level. The monitoring engine may compare the monitored information to the conditions associated with the monitoring triggers. The monitoring engine may activate one or more monitoring triggers based on a result of the comparison. The monitoring engine may modify the inspection detail level based on the actions associated with the activated monitoring triggers to increase the amount of the information monitored by the monitoring engine. An analysis engine may provide analysis of the network traffic based on the monitored information.

Abstract: Embodiments are directed to monitoring network traffic in a network. A network monitoring engine may monitor networks to collect characteristics associated with network flows. The network monitoring engine may be arranged to identify entities on the network based on characteristics associated with the network flows. The network monitoring engine may provide entity profiles based on the identified entities and the characteristics. A configuration management engine may compare the entity profiles with configuration item (CI) entries in a database. The configuration management engine may provide discrepancy notices based on differences discovered during the comparison. Accordingly, the network monitoring engine may execute one or more policies to perform one or more additional actions based on the one or more discrepancies notices. Also, the configuration management engine may perform audits of an organization's information technology infrastructure to identify one or more violations of compliance policies.

Abstract: Embodiments are directed to detecting one or more attacks in a network. One or more network flows may be monitored using one or more network monitoring computers (NMCs). If one or more file write operations are detected based on information included in one or more packets of the one or more network flows, one or more detection rules may be executed to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations. One or more metrics may be provided based on the one or more detection rules and one or more of the file information, the one or more file write operations, or the like. If one or more metrics exceed one or more threshold values, one or more reports of one or more attacks may be provided.

Abstract: Embodiments are directed to monitoring communication over a network using a network monitoring computer (NMC). If one or more flows include healthcare traffic provided by one or more healthcare services, the NMC may perform further actions. Healthcare values from the one or more healthcare services may be provided from the network traffic. Values from one or more network traffic flows that are separate from the healthcare traffic may be provided. Other healthcare values from other flows may be provided that include healthcare traffic provided by the healthcare services. Accordingly, if a comparison of the healthcare values and the other healthcare values meet certain conditions, additional actions may be performed based on rules, or policies. The healthcare traffic may be compliant with one or more of Health Level Seven (HL7) standard, Digital Imaging and Communications in Medicine (DICOM) standard, or the like.

Abstract: Embodiments are directed to monitoring network traffic. A monitoring engine may monitor network traffic associated with entities in one or more networks. A device relation model may be provided based on the entities and the network traffic. An inference engine associate the entities with privilege levels based on the device relation model based on an amount of access or an amount of control that source entities exert over the target entities. An anomaly engine may determine one or more interactions between the source entities and the target entities based on the monitored network traffic. The anomaly engine may generate escalation events based on the interactions associated with the source entities and the target entities where the target entities have a higher privilege level than the source entities. The anomaly engine may provide the escalation events to one or more users.

Abstract: Embodiments are directed to monitoring network traffic in a network. A network monitoring engine may be employed to monitor the network to provide metric profiles based on a plurality of characteristics associated with one or more network flows. The network monitoring engine may provide profile objects based on the metric profiles. The network monitoring engine may provide the profile objects to a classifier engine. The classifier engine provide trained activity models selected from a plurality of trained activity models that may be based on a ranked ordering of characteristics of the trained activity models and the profile objects. The classifier engine may provide classification results for the profile objects based on the trained activity models. And, the network monitoring engine may execute policies based on the classification results associated with the profile objects.

Abstract: Embodiments are directed to monitoring network traffic using network computers. A monitoring engine may monitor network traffic associated with a plurality of entities in a network to provide metrics. A device relation model may be provided based on the plurality of entities, the network traffic, and the metrics. Interest information for a user may be provided based on one or more properties associated with the user. An inference engine may associate each entity in the plurality of entities with an interest score based on the interest information, the device relation model, and the metrics. An alert engine may generate a plurality of alerts associated with the plurality of entities based on the metrics. Some of the alerts may be provided to the user based on ranked interest scores associated with the entities.

Abstract: Embodiments are directed to monitoring communication between computers using network monitoring computers (NMCs). NMCs identify a secure communication session established between two of the computers based on an exchange of handshake information associated with the secure communication session. Key information that corresponds to the secure communication session may be obtained from a key provider such that the key information may be encrypted by the key provider. NMCs may decrypt the key information. NMCs may derive the session key based on the decrypted key information and the handshake information. NMCs may decrypt network packets included in the secure communication session. NMCs may be employed to inspect the one or more decrypted network packets to execute one or more rule-based policies.

Abstract: Embodiments are directed to capturing packets on a network. A snapshot value may be provided for a network monitoring computer (NMC). If the NMC may be provided packets of a network flow, characteristics of the network flow may be monitored. If the characteristics of the network flow indicate that a flow turn may be occurring on the network flow, the snapshot value may be modified by increasing it to a provided value. If conditions indicate that the flow turn may be complete, the snapshot value maybe reset by decreasing it to another provided value. A portion of each of the packets may be captured by the NMC, such that the size of the portion may be equivalent to the snapshot value. The captured portion of each of the packets may be stored in a memory of the NMC.

Abstract: Embodiments are directed to detecting one or more attacks in a network. One or more network flows may be monitored using one or more network monitoring computers (NMCs). If one or more file write operations are detected based on information included in one or more packets of the one or more network flows, one or more detection rules may be executed to analyze one or more portions of the one or more packets to identify file information that is associated with the one or more file write operations. One or more metrics may be provided based on the one or more detection rules and one or more of the file information, the one or more file write operations, or the like. If one or more metrics exceed one or more threshold values, one or more reports of one or more attacks may be provided.

Abstract: Embodiments are directed to monitoring network traffic in a network. A device relation model that may be comprised of two or more nodes and one or more edges stored in memory of the network computer may be provided to a network monitoring computer (NMC), such that each node represents an agent and each edge represents a relationship between two agents. If error signals are detected by the NMC, the NMC perform further actions to process the error signals. The device relation model may be traversed to identify agents associated with the error signals. The network traffic associated with the error signals and the agents may be analyzed by the NMC. If the error signals are associated with anomalies in the network traffic, users may be notified. The device relation model may be updated upon discovery of new computing devices, new applications, or new associations between agents.

Abstract: Embodiments are directed to monitoring flows of packets over a network. If a network monitoring computer (NMC) in a cluster of NMCs observes a new network flow, the NMC may perform a variety of actions to determine the NMC that is responsible for monitoring the new network flow. Network traffic associated with the new network flow may be buffered in a non-transitory processor readable media. The new network flow may be registered with the plurality of NMCs, providing an identifier that corresponds to one NMC. Registering may include, assigning the NMC a responsibility to monitor the new network flow. If the identifier corresponds to the NMC that observed the new network flow, the network traffic associated with the new network flow is processed using that NMC. If the identifier corresponds to another NMC, the buffered network traffic is forwarded to the other NMC.

Abstract: Embodiments are directed to monitoring communication over a network using a network monitoring device (NMD). Measurement information may be generated based on network traffic that may be monitored by the NMD. Metrics associated with one or more characteristics of the monitored network traffic may be generated based on the measurement information. Layout information for a user-interface may be generated based on results of heuristics that use the measurement information. Generating the layout information may include, determining a layout template based on the results of the heuristics and the measurement information. Metric visualizations that may be associated with the metrics may be displayed in the user-interface based on the layout information. If measurements exceed defined threshold values, the layout information may be modified based on the changes to the measurement information. Accordingly, the layout of the user interface may be modified based on the modified layout information.

Abstract: Embodiments are directed to sharing secure communication secrets with a network monitoring device (NMD). The NMD may passively monitor network packets communicated between client computers and server computers. If a secure communication session is established between a client computer and a server computer, a key provider may provide the NMD a session key that corresponds to the secure communication session. The NMD may buffer each network packet associated with the secure communication session until the NMD is provided a session key for the secure communication session. The NMD may use the session key to decrypt network packets communicated between the client computer and the server computer. The NMD may then proceed to analyze the secure communication session based on the contents of the decrypted network packets.