Abstract: A method of detecting anomalous behaviour in data traffic on a data communication network having a first host and a second host being connected to the data communication network in which the data traffic on the data communication network forms a link between the first host and the second host.

Abstract: Systems, methods, and related technologies for self-training classification are described. In certain aspects, a plurality of device classification methods with associated models are accessed. Each of the classification methods have an associated reliability level. The models of classification methods with a higher reliability level than other classifications methods are used to train the models associated with lower reliability level. The trained models and associated classification methods are thus improved.

Abstract: Systems, methods, and related technologies for analyzing traffic based on naming information are described. In certain aspects, name information and address information from a name translation response are stored. The name information is associated with a device based on the device sending a communication to an address associated with the name information.

Abstract: Device scanning aspects are described. In certain aspects, the method includes configuring a port forwarding policy on a first device based on a network session information, performing a scan of a second device based on a port forwarding policy.

Abstract: Systems, methods, and related technologies for clustering are described. The method includes determining one or more access policies associated with each of one or more clusters of entities, wherein a cluster comprises one or more entities with similar behavior. The method further includes determining one or more anomalies based on the one or more clusters, wherein the one or more access policies control communications between entities of the one or more clusters based on the one or more anomalies. The method further includes storing data associated with at least one of the one or more clusters and the one or more anomalies.

Abstract: An intrusion detection method for detecting an intrusion in data traffic on a data communication network parses the data traffic to extract at least one protocol field of a protocol message of the data traffic, and associates the extracted protocol field with a model for that protocol field. The model is selected from a set of models. An assessment is made to determine if a contents of the extracted protocol field is in a safe region as defined by the model, and an intrusion detection signal is generated in case it is established that the contents of the extracted protocol field is outside the safe region. The set of models may comprise a corresponding model for each protocol field of a set of protocol fields.

Abstract: Systems, methods, and related technologies for improving classification use multiple classification resources. The method includes accessing network traffic from a network comprising a plurality of entities, and determining, based on the network traffic, one or more values associated with one or more properties of an entity of the plurality of entities. The method also includes determining, by a processing device, a first classification result of the entity based on the one or more values and at least one local profile, and determining a second classification result of the entity, wherein the second classification result of the entity is based on the one or more values and at least one remote profile.

Abstract: Systems, methods, and related technologies for entity visibility are described. In certain aspects, information associated with a type of entity is accessed and a network is scanned for a plurality of entities. One or more entities are selected from plurality of entities based on the type of entity. Properties associated with the one or more selected entities are accessed. The information associated with the one or more selected entities and the one or more properties associated with the selected one or more entities are stored.

Abstract: Systems, methods, and related technologies for entity classification and attribute designation are described. Device property data associated with a device coupled to a network is accessed. One or more features for the device are identified based on the device property data. A first value for an attribute of the device is determined based on a set of rules applied to the one or more features of the device. A first belief value for the attribute is determined based on the set of rules applied to the one or more features of the device. A final value for the attribute of the device is selected based at least in part on the first belief value for the first value of the attribute.

Abstract: A method, apparatus and product for sub-networks based cyber security. One method comprises detecting a device connecting to a local network which is divided into subnets; determining a usage profile of the device; automatically selecting a subnet to connect the device based on the usage profile; and connecting the device to the selected subnet in the local network. Another method comprises monitoring communication traffic of devices in each of the subnets of a local network; performing anomaly detection to detect an abnormal communication of a device connected to a subnet; blocking the abnormal communication of the device; and removing the device from the subnet and connecting the device to a quarantine subnet of the local network, whereby reducing connectivity of the device with other devices connected to the local network.

Abstract: Systems, methods, and related technologies for profiling an entity and classifying an entity based on a profile are described. In certain aspects, accessing data associated with one or more communications of an entity is accessed and one or more behaviors based on the data associated with the one or more communications of the entity are determined. One or more sequences of the one or more behaviors of the entity are determined and a profile is determined based on the one or more sequences of the one or more behaviors, wherein the profile comprises a classification of the entity. The profile may then be stored.

Abstract: Systems, methods, and related technologies for device classification are described. In certain aspects, traffic data associated with a device and data from an external system can be accessed. The data can be processed to determine a device classification for the device. An action can be initiated based on the classification.

Abstract: Systems, methods, and related technologies for determining an issue based on a plurality of events. The determining of an issue may include accessing network traffic from a network and accessing a plurality of events associated with the network traffic. An issue can be determined based on a correlation of a portion of the plurality of events, where the issue represents an incident associated with the portion of the plurality of events. The correlation of the portion of the plurality of events is based on network specific information. Information associated with the issue including the portion of the plurality of events may then be stored.

Abstract: Systems and methods for monitoring devices on a network are describes. An indication of one or more active devices coupled to a network at an end of a time interval is received. Network traffic data associated with the network is received and one or more additional devices coupled to the network during the time interval that were not included in the indication of the one or more active devices coupled to the network at the end of the time interval are determined based on the network traffic data.

Abstract: Systems, methods, and related technologies for device identification are described. In certain aspects, packet data associated with a device can be analyzed and a score determined. The score and the threshold can be compared to determine a device identification for the device.

Abstract: Systems, methods, and related technologies for generating a network system map based on network traffic and possibly additional data are described. Network traffic may be received and parsed to obtain metadata associated with the network traffic. A network system may be identified based on the metadata. A network system map may be generated for the network system based on one or more of the metadata or the additional data.

Abstract: Systems, methods, and related technologies for account access monitoring are described. In certain aspects, a login request associated with a device can be analyzed and a score determined. The score and a threshold can be used to determine whether to initiate an action.

Abstract: Systems, methods, and related technologies for determining fields of an unknown protocol are described. One or more packets may be removed from a network traffic capture in response to the one or more packets having a known protocol. The remaining network traffic capture may be grouped into one or more clusters of packets based on similarity. Each of the one or more clusters may be parsed to identify one or more fields of an unknown protocol. The network traffic capture may be modified, including annotating the one or more fields of the unknown protocol.

Abstract: Systems, methods, and related technologies for parsing network traffic are described. Network traffic transmitted by a set of devices communicatively coupled to a network is obtained. A set of protocol fields for parsing the network traffic is determined. The set of protocol fields are associated with a set of processing engines. The network traffic is parsed to determine a set of field values from the network traffic based on the set of protocol fields. The set of field values are transmitted to the set of processing engines.

Abstract: Systems, methods, and related technologies for generating a network traffic map based on network traffic information and additional data are described. Network traffic information may be obtained from endpoints using an operating system (OS) interface, without an agent being installed on the endpoints. A network traffic map may be generated for the network based on the network traffic information.