Abstract: A method for profiling network traffic of a network is presented. The method includes obtaining a cohesive flow-set based on a (port number, transport protocol) pair, identifying a statistically representative training set from the flow-set, identifying a network application associated with the (port number, transport protocol) pair, determining a packet content based signature term of the network application based on the training set, generate a nondeterministic finite automaton (NFA) using the signature terms to represent regular expressions in the training set, matching a portion of a new flow to the NFA in real time and identify a server attached to the new flow as executing the network application, and generate an alert in response to the match for blocking the new flow prior to the server completing a task performed using the new flow.

Abstract: A method for detecting a malicious activity in a network. The method includes obtaining file download flows from the network, analyzing, the file download flows to generate malicious indications using a pre-determined malicious behavior detection algorithm, extracting a file download attribute from a suspicious file download flow of a malicious indication, wherein the file download attribute represents one or more of the URL, the FQDN, the top-level domain name, the URL path, the URL file name, and the payload of the suspicious file download flow, determining the file download attribute as being shared by at least two suspicious file download flows, identifying related suspicious file download flows and determining a level of association between based at least on the file download attribute, computing a malicious score of the suspicious file download flow based on the level of association, and presenting the malicious score to an analyst user of the network.

Abstract: A method for profiling user activity in a mobile network, including extracting user identifiers from application sessions identified from a mobile network, analyzing the application sessions to determine session blocks based on shared IP address and a minimum separation time threshold, extracting a traffic marker from the session blocks based on a user identifier, identifying a first portion of the session blocks based on the user identifier, wherein the first portion is associated with first mobile network activities of a user identified by the user identifier, identifying a second portion of the session blocks based on the traffic marker, wherein the second portion is associated with second mobile network activities of the user, and analyzing the first portion and the second portion to determine a measure of a mobile network activity of the user.

Abstract: A method for comparing documents, including extracting, by a computer processor, a plurality of extracted elements from a first image of a first formatted document, wherein each of the plurality of extracted elements corresponds to a text element of the first formatted document, extracting, by the computer processor, a first plurality of text fingerprints from a sequence of the plurality of extracted elements to form a first text feature of the first image, comparing, by the computer processor, the first text feature and a second formatted document to generate a comparison result, and determining, in response to the comparison result meeting a pre-determined criterion, that each of the first formatted document and the second formatted document contains common text content.

Abstract: Embodiments of the invention provide a method, system, and computer readable medium for classifying network traffic based on application signatures generated during a training phase. The application signatures are generated using (a) seeding flows obtained from a network trace based on a pre-determined selection criterion, and (b) for each seeding flow, a seeded flow group that is obtained from the network trace based on a pre-determined seeding criterion associated with the seeding flow. Specifically, persistent data patterns frequently occurring across multiple seeded flow groups are analyzed to generate the signatures.

Abstract: A high speed data storage system including a logical disk that is implemented from disk systems (i.e., physical disk storage devices and associated controllers) that operate at speed lower than the input data rate. The logical disk supports the input data rate by multiplexing streaming data onto multiple physical disk storage devices. The resulting system has a logical read/write speed that is the sum of each of the disks participated in the storage system. Data written onto the data storage system can be retrieved directly, sequentially, or by means of advanced search techniques such as binary search or skip sequential search.

Abstract: A method is provided for identifying a gender of a speaker. The method steps include obtaining speech data of the speaker, extracting vowel-like speech frames from the speech data, analyzing the vowel-like speech frames to generate a feature vector having pitch values corresponding to the vowel-like frames, analyzing the pitch values to generate a most frequent pitch value, determining, in response to the most frequent pitch value being between a first pre-determined threshold and a second pre-determined threshold, an output of a male Gaussian Mixture Model (GMM) and an output of a female GMM using the pitch values as inputs to the male GMM and the female GMM, and identifying the gender of the speaker by comparing the output of the male GMM and the output of the female GMM based on a pre-determined criterion.

Abstract: A method for profiling network traffic of a network, including obtaining a plurality of flows comprising a plurality of client IP addresses, a plurality of server IP addresses, and a plurality of server ports, extracting a plurality of fully qualified domain names (FQDNs) from a plurality of DNS flows in the network traffic, analyzing correlation between the plurality of flows and the plurality of FQDNs to generate a result, and presenting the result to an administrator user of the network.

Abstract: A method for detecting hidden malicious network nodes. Starting from a pool of seed nodes that have previously been identified as malicious, a two-phase score propagation algorithm is employed to propagate threat scores from the seeded nodes to other nodes in an IP-address connectivity graph. Nodes with high threat score after propagation are declared to be malicious.

Abstract: A method for identifying a botnet in a network, including analyzing historical network data using a pre-determined heuristic to determine values of a connectivity graph based feature in the historical network data, obtaining a ground truth data set having labels assigned to data units in the historical network data identifying known malicious nodes in the network, analyzing the historical network data and the ground truth data set using a machine learning algorithm to generate a model representing the labels as a function of the values of the connectivity graph based feature, analyzing real-time network data using the pre-determined heuristic to determine a value of the connectivity graph based feature for a data unit in the real-time network data, assigning a label to the data unit by applying the model to the value of the connectivity graph based feature, and categorizing the data unit as associated with the botnet based on the label.

Abstract: A method for user profile matching, including extracting online social network (OSN) user profile tokens from user profiles of one or more OSNs, generate indexes each referencing a user by at least one of the OSN user profile tokens that is associated with the user, extracting target OSN user profile tokens from a target OSN user profile of the one or more OSNs, identifying a candidate user based on the target OSN user profile tokens and at least one of the indexes, calculating a score representing a similarity measure between a candidate OSN user profile selected from the OSN user profiles that belongs to the candidate user and the target OSN user profile of the target user, and storing, in response to the score exceeding a pre-determined threshold, a combination of the target OSN user profile and the candidate OSN user profile as an expanded profile of the target user.

Abstract: A method for classifying network traffic, including (1) processing a first working set portion of a flow batch for a first iteration by dividing the first working set portion into clusters and filtering a cluster by (i) identifying a first server port as most frequently occurring comparing to all other server ports in the cluster, (ii) in response to determining that a first frequency of occurrence of the first server port in the cluster exceeds a pre-determined threshold: (a) identifying the cluster as a dominatedPort cluster, (b) removing the cluster from the first working set portion to generate a remainder as a second working set portion, and (c) removing, from the cluster to be added to the second working set portion, one or more flows having different server port than the first server port, and (2) processing the second working set portion for a second iteration.

Abstract: A method for identifying a botnet in a network, including analyzing historical network data using a pre-determined heuristic to determine values of a feature in the historical network data, obtaining a ground truth data set having labels assigned to data units in the historical network data identifying known malicious nodes in the network, analyzing the historical network data and the ground truth data set using a machine learning algorithm to generate a model representing the labels as a function of the values of the feature, analyzing real-time network data using the pre-determined heuristic to determine a value of the feature for a data unit in the real-time network data, assigning a label to the data unit by applying the model to the value of the feature, and categorizing the data unit as associated with the botnet based on the label.

Abstract: A method for managing a secured document. The method includes storing and retrieving the secured document based on hybrid fragmentation and replication scheme to provide user viewing of the secured document by (a) generating an image representing human discernible content of the secured document, (b) modifying the image to generate a modified image that is embedded with a digital watermark, where the digital water mark is human indiscernible and represents a security policy extracted from the secured document, and (c) sending, to a secured device for displaying to the requesting user, the modified image embedded with the digital watermark.

Abstract: Embodiments of the invention provide a method, system, and computer readable medium for classifying network traffic based on application signatures generated during a training phase using a modified subspace clustering scheme based on feature vectors extracted from network flows in a training set generated by a particular application and applying the signatures to a new feature vector extracted in real-time from current network data. The newly extracted feature vector is projected into the subspaces and compared with the signatures.

Abstract: A method for profiling network traffic of a network. The method includes identifying a training set having captured payloads corresponding to a set of flows associated with a network application, determining a set of signature terms from the training set, representing a portion of the captured payloads as regular expressions, representing a regular expression as a path in a term transition state machine (TTSM) including states coupled by at least a link that is assigned a signature term and a transition probability, the transition probability corresponding to a signature term transition to the signature term in the regular expression, and analyzing, based on the TTSM according to at least the transition probability, a flow separate from the set of flows and associated with a server in the network to determine the server as executing the network application.

Abstract: A method for profiling network traffic of a network, including defining a set of features each corresponding to a set of pre-determined bit positions for selecting a pre-determined number of data bits from each flow in a flow set generated by a network application to form a feature value assigned to the feature for the each flow, identifying the feature as a deterministic feature based on a frequency of occurrence of the feature value, extracting a set of paths from the flow set based on a number of deterministic features, generating a state machine based on the set of paths, and analyzing a new flow associated with a server in the network to determine the server as executing the network application.

Abstract: A method and system to detect botnet beaconing event based on a beacon detection rule set to generate a beacon alert, which is in turn used to trigger an elevated exfiltration detection activity by reducing various thresholds in an exfiltration detection rule set.

Abstract: The present invention relates to a method of compressing data in a network, the data comprising a plurality of packets each having a header and a payload, the header comprising a plurality of header fields, the method comprising generating a classification tree based on at least a portion of the plurality of header fields, determining a inter-packet compression plan based on the classification tree, and performing inter-packet compression in real time for each payload of at least a first portion of the plurality of packets, the inter-packet compression being performed according to at least a portion of the inter-packet compression plan.

Abstract: A method for profiling network traffic of a network. The method includes identifying a training set having captured payloads corresponding to a set of flows associated with a network application, determining a set of signature terms from the training set, representing a portion of the captured payloads as regular expressions, representing a regular expression as a path in a modified term transition state machine (MTTSM) including states coupled by at least a link that is assigned a signature term, and analyzing, based on the MTTSM, a flow separate from the set of flows and associated with a server in the network to determine the server as executing the network application.