Abstract: A method for profiling network traffic of a network. The method includes capturing packets based at least on a common source IP address shared by each of the packets, where said each packet is assigned a source timestamp by a source of said each packet and further assigned a capture timestamp by a packet capturing device, identifying a first portion of the packets as a first flow and a second portion of the packets as a second flow, extracting a first monotonic timestamp-pair (MTSP) sequence and a second MTSP sequence from the first flow and the second flow, respectively, comparing the first MTSP sequence and the second MTSP sequence to generate a result, and determining, based on the result, whether the first flow and the second flow are generated by a single host of the network.

Abstract: A method for detecting malicious HTTP redirections. The method includes obtaining, based on a single client IP address, HTTP flows triggered by visiting a website, extracting a sequence of URLs where a downstream URL is extracted from a child HTTP request that is triggered by a parent HTTP request containing an immediate upstream URL, analyzing the URL sequence to generate a statistical feature, and classifying, based on the statistical feature, the HTTP flows as containing at least one malicious HTTP redirection triggered by visiting the website.

Abstract: A method for profiling network traffic of a network. The method includes capturing packets based at least on a common source IP address shared by each of the packets, where said each packet is assigned a source timestamp by a source of said each packet and further assigned a capture timestamp by a packet capturing device, identifying a first portion of the packets as a first flow and a second portion of the packets as a second flow, extracting a first monotonic timestamp-pair (MTSP) sequence and a second MTSP sequence from the first flow and the second flow, respectively, comparing the first MTSP sequence and the second MTSP sequence to generate a result, and determining, based on the result, whether the first flow and the second flow are generated by a single host of the network.

Abstract: A method for profiling network traffic of a network. The method includes extracting cells from bi-directional payloads generated by a network application, wherein each cell comprises at least one direction reversal in a corresponding bi-directional flow, generating a cell group comprising a portion of the cells that are similar, analyzing the cell group to generate a signature of the network application, and classifying, based on the signature of the network application, a new bi-directional flow as being generated by the network application.

Abstract: A method for analyzing a binary-based application protocol of a network. The method includes obtaining conversations from the network, extracting content of a candidate field from a message in each conversation, calculating a randomness measure of the content to represent a level of randomness of the content across all conversation, calculating a correlation measure of the content to represent a level of correlation, across all of conversations, between the content and an attribute of a corresponding conversation where the message containing the candidate field is located, and selecting, based on the randomness measure and the correlation measure, and using a pre-determined field selection criterion, the candidate offset from a set of candidate offsets as the offset defined by the protocol.

Abstract: A method for detecting malicious HTTP redirections. The method includes obtaining, based on a single client IP address, HTTP flows triggered by visiting a website, extracting a sequence of URLs where a downstream URL is extracted from a child HTTP request that is triggered by a parent HTTP request containing an immediate upstream URL, analyzing the URL sequence to generate a statistical feature, and classifying, based on the statistical feature, the HTTP flows as containing at least one malicious HTTP redirection triggered by visiting the website.

Abstract: A method for detecting a malicious network activity. The method includes extracting, based on a pre-determined criterion, a plurality of protection phase feature sequences extracted from a first plurality of network traffic sessions exchanged during a protection phase between a server device and a first plurality of client devices of a network, comparing the plurality of protection phase feature sequences and a plurality of profiling phase feature sequences to generate a comparison result, where the plurality of profiling phase feature sequences were extracted from a second plurality of network traffic sessions exchanged during a profiling phase prior to the protection phase between the server device and a second plurality of client devices of the network, and generating, in response to detecting a statistical measure of the comparison result exceeding a pre-determined threshold, an alert indicating the malicious network activity.

Abstract: A method for profiling network traffic of a network. The method includes extracting cells from bi-directional payloads generated by a network application, wherein each cell comprises at least one direction reversal in a corresponding bi-directional flow, generating a cell group comprising a portion of the cells that are similar, analyzing the cell group to generate a signature of the network application, and classifying, based on the signature of the network application, a new bi-directional flow as being generated by the network application.

Abstract: A method for analyzing a binary-based application protocol of a network. The method includes obtaining conversations from the network, extracting content of a candidate field from a message in each conversation, calculating a randomness measure of the content to represent a level of randomness of the content across all conversation, calculating a correlation measure of the content to represent a level of correlation, across all of conversations, between the content and an attribute of a corresponding conversation where the message containing the candidate field is located, and selecting, based on the randomness measure and the correlation measure, and using a pre-determined field selection criterion, the candidate offset from a set of candidate offsets as the offset defined by the protocol.

Abstract: A method for network resource classification and identifying user interests based on the classification. The method uses a provided hierarchy of categories for classifying network resources, wherein each category is assigned a text item describing the category and the method includes obtaining resource description data collections corresponding to the network resources, and generating, using a semantic correlation algorithm, a category score vector of a network resource by comparing the resource description data collection to the text item assigned to each category in the hierarchy of categories, wherein the category score vector comprises a category score for each category in the hierarchy of categories, wherein the category score is determined based on at least a semantic correlation measure between the resource description data collection and the text item assigned to a corresponding category, wherein the plurality of network resources are classified based at least on the category score.

Abstract: A trusted user circle server for encryption key distribution and authentication support, as well as a client-side application which resides on user's devices are disclosed. In particular, the trusted user circle server manages a repository for static public keys (SPUK) which are used for authentication and secure distribution of a dynamic private context key (DPCK) used for the end-to-many encryption. Accordingly, posting users encrypt posted document using the DPCK and viewing users retrieve the DPCK to decrypt the posted document. These keys are associated to the trusted user circle and are generated dynamically for a given circle policy context (CPC). The CPC is an identifier that represents a group of members of a trusted user circle. It changes whenever any member of the trusted user circle leave it, when a new trusted user circle is created or when the DPCK expires after a pre-determined period of time.

Abstract: A method for authenticating a live person subject. The method includes receiving an authentication request from a user, generating a sequence of instructions instructing the user to point a face toward a sequence of facial directions, wherein the sequence of facial directions are randomly generated using a random sequence generation algorithm, presenting the sequence of instructions to the user, capturing, while presenting the sequence of instructions to the user, a sequence of live-captured facial images (LCFIs) based on a pre-determined frame rate, and generating an authentication result identifying the user as the live person subject by at least, matching the sequence of LCFIs to multiple reference facial images of the live person subject and validating each LCFI in the sequence of LCFIs based on a pre-determined criterion.

Abstract: A method for detecting a malicious node in a network. The method includes obtaining a plurality of failed domain name service (DNS) queries from the network, wherein each of the plurality of failed DNS queries is initiated from a client node of the network and comprises an effective second-level domain (eSLD) name, generating, by a computer processor and using a pre-determined clustering algorithm, a cluster from a plurality of eSLD names comprising the eSLD name of each of the plurality of failed DNS queries, wherein the cluster comprises a portion of the plurality of eSLD names that is selected based on the pre-determined clustering algorithm, determining, by the computer processor and using a pre-determined formula, a score representing statistical characteristics of the cluster, and assigning, in response to the score meeting a pre-determined criterion, a malicious status to the client node.

Abstract: A trusted user circle server for encryption key distribution and authentication support, as well as a client-side application which resides on user's devices are disclosed. In particular, the trusted user circle server manages a repository for static public keys (SPUK) which are used for authentication and secure distribution of a dynamic private context key (DPCK) used for the end-to-many encryption. Accordingly, posting users encrypt posted document using the DPCK and viewing users retrieve the DPCK to decrypt the posted document. These keys are associated to the trusted user circle and are generated dynamically for a given circle policy context (CPC). The CPC is an identifier that represents a group of members of a trusted user circle. It changes whenever any member of the trusted user circle leave it, when a new trusted user circle is created or when the DPCK expires after a pre-determined period of time.

Abstract: A method for comparing data records, including extracting, by a computer processor, alphanumeric tokens from a plurality of data records, wherein the plurality of data records are generated by a plurality of entities, generating, by the computer processor, a plurality of indexes each referencing an entity of the plurality of entities by at least one of the alphanumeric tokens that is associated with the entity, extracting target alphanumeric tokens from a target data record of a target entity, identifying a candidate entity from the plurality of entities based on the target alphanumeric tokens and a first index of the plurality of indexes, and calculating, by the computer processor, a first score representing a first similarity measure between a candidate data record selected from the plurality of data records that belongs to the candidate entity and the target data record of the target entity.

Abstract: A method for accessing (e.g., processing, storing, retrieving, etc.) network traffic data of a network. The method includes using separate data analysis device and data access device for capturing and analyzing network traffic data blocks concurrently and cooperatively to store and retrieve large amount of high speed network traffic data. In particular, the data analysis device and the data access device are synchronized using a linked set containing unique data block identifier and associated packet identifiers. The synchronization allows the data analysis device to focus on the full packet analysis task and the data access device to focus on the full packet storing and retrieving task without analyzing full packet content.

Abstract: A method for analyzing an application protocol of a network. The method includes extracting non-alphanumeric tokens from conversations of the network, selecting frequently occurring non-alphanumeric token as a field delimiter candidate for dividing each conversation into a slice-set, analyzing slice-sets of the conversations to determine a statistical measure of matched slices for each conversation, and -o determine a field delimiter candidate score by aggregating the statistical measure of matched slices for all conversations, and selecting the non-alphanumeric token as the field delimiter of the protocol based on the field delimiter candidate score associated with the non-alphanumeric token.

Abstract: A method for profiling network traffic of a network. The method includes obtaining a signature library comprising a plurality of signatures each representing first data characteristics associated with a corresponding application executing in the network, generating, based on a first pre-determined criterion, a group behavioral model associated with the signature library, wherein the group behavioral model represents a common behavior of a plurality of historical flows identified from the network traffic, wherein each of the plurality of signatures correlates to a subset of the plurality of historical flows, selecting a flow in the network traffic for including in a target flow set, wherein the flow matches the group behavioral model without being correlated to any corresponding application of the plurality of signatures, analyzing the target flow set to generate a new signature, and adding the new signature to the signature library.

Abstract: A method for detecting malicious servers. The method includes analyzing network traffic data to generate a main similarity measure and a secondary similarity measure for each server pair found in the network traffic data, extracting a main subset and a secondary subset of servers based on the main similarity measure and the secondary similarity measure, identifying a server that belongs to the main subset and the secondary subset, and determining a suspicious score of the server based on at least a first similarity density measure of the main subset, a second similarity density measure of the secondary subset, and a commonality measure of the main subset and the secondary subset.

Abstract: A method is provided for collecting and processing information of a target who is a user of a communication network. The method includes obtaining a first identifier of the target, accessing, based on a handle of the first identifier, a first public webpage associated with the target in a first Internet site identified based on a domain of the first identifier, extracting content of the first public webpage for including in target data of the target, obtaining a third identifier of the target, intercepting a document associated with the target from a private portion of communication network traffic identified based on a domain of the third identifier, extracting content of the document for including in the target data, determining a second identifier by searching the target data, associating the second identifier with the target based on a pre-determined criterion, and collecting information of the target based on the second identifier.