Abstract: A method for profiling network traffic of a network. The method includes obtaining a signature library comprising a plurality of signatures corresponding to a plurality of behavioral models, generating, based on a first pre-determined criterion, a group behavioral model associated with the signature library, wherein the group behavioral model represents a common behavior of a plurality of historical flows identified from the network traffic, wherein each of the plurality of signatures correlates to a subset of the plurality of historical flows, selecting a flow in the network traffic for including in a target flow set, wherein the flow matches the group behavioral model without matching any of the plurality of behavioral models, analyzing the target flow set to generate a new signature, and adding the new signature to the signature library. Further, each behavioral model is generated from a kernel constructed using boosting of decision tree learning methods.

Abstract: Embodiments of the invention address the problem of detecting bots in network traffic based on a classification model learned during a training phase using machine learning algorithms based on features extracted from network data associated with either known malicious or known non-malicious client and applying the learned classification model to features extracted in real-time from current network data. The features represent communication activities between the known malicious or known non-malicious client and a number of servers in the network.

Abstract: The present invention relates to a method of profiling an Internet endpoint associated with an Internet Protocol (IP) address, an IP prefix, or a domain name, the method includes generating a profiling rule using an Internet search engine, obtaining a search result by inputting the IP address, the IP prefix, or the domain name to the Internet search engine, and classifying the Internet endpoint based on the search result using the profiling rule.

Abstract: The invention relates to a method for profiling VoIP activity in network traffic. The method includes obtaining a plurality of audio packets from a plurality of packets in the network traffic by analyzing a plurality of parameter sets based on a first pre-determined criterion, wherein each of the plurality of parameter sets corresponds to a packet of the plurality of packets and comprises a packet size and a packet arrival time associated with a corresponding packet of the plurality of packets, generating a count of an IP address by counting at least a portion of the plurality of audio packets, wherein each packet of the portion of the plurality of audio packets comprises the IP address, and identifying an endpoint corresponding to the IP address as a VoIP server and identifying the portion of the plurality of audio packets as VoIP activity associated with the VoIP server when the count exceeds a pre-determined threshold.

Abstract: With the widespread adoption of SIP-based VoIP, understanding the characteristics of SIP traffic behavior is critical to problem diagnosis and security protection of VoIP services. A general methodology is provided for profiling SIP-based VoIP traffic behavior at several levels: SIP server host, server entity (e.g., registrar and call proxy) and individual user levels. Using SIP traffic traces captured in a production VoIP network, the characteristics of SIP-based VoIP traffic behavior in an operational environment is illustrated and the effectiveness of the general profiling methodology is demonstrated. In particular, the profiling methodology identifies anomalies due to performance problems and/or implementation flaws through a case study. The efficacy of the methodology in detecting potential VoIP attacks is also demonstrated through a test-bed experimentation.

Abstract: A method for content transmission in a cellular network having a collection of cellular zones. The method includes obtaining a statistical trace associated with the cellular network, comprising attributes of historical content chunks received from prior users of the cellular network and trajectories of the prior users moving within the cellular zones, analyzing the statistical trace to identify a portion of the cellular zones as drop zones, allocating drop zone transmission bandwidth to the drop zones based on a pre-determined criterion, receiving, subsequent to the allocating, a transmission request for a content chunk from a mobile device of a user outside the drop zones, delaying transmission of the content chunk while the mobile device remains outside of the drop zones, and transmitting the content chunk in response to detecting the mobile device within the drop zones.

Abstract: A method for detecting automatically generated malicious domain names in a network. The method includes identifying a plurality of domain name service (DNS) queries in the network, wherein the plurality of DNS queries share a common attribute, analyzing, using a central processing unit (CPU) of a computer, the plurality of DNS queries to identify a plurality of alphanumeric elements embedded in a set of domain names associated with the plurality of DNS queries, analyzing, using the CPU, the plurality of alphanumeric elements to determine a distribution metric of the set of domain names, and generating an alert based on the distribution metric according to a pre-determined criterion.

Abstract: A method for providing location based service in a cellular data service network (CDSN) by analyzing accounting data packets of the CDSN to determine a user mobility pattern, classifying application data packets of the CDSN into pre-determined application categories, analyzing the accounting data packets and the application data packets to associate the user mobility pattern and one of the pre-determined application category, comparing a newly received accounting data packet and the user mobility pattern to identify a match, and providing, in response to identifying the match, the location based service to a user based on the pre-determined application category.

Abstract: Embodiments of the invention provide a framework for traffic classification that bridges the gap between the packet content inspection and the flow-based behavioral analysis techniques. In particular, IP packets and/or IP flows are used as an input, network nodes are associated to specific network applications by leveraging information gathered from the web, and packet content signatures are extracted in an off-line fashion using clustering and signature extraction algorithms. The signatures learned are systematically exported to a traffic classifier that uses the newly available signatures to classify applications on-the-fly.

Abstract: A method for real-time speaker recognition including obtaining speech data of a speaker, extracting, using a processor of a computer, a coarse feature of the speaker from the speech data, identifying the speaker as belonging to a pre-determined speaker cluster based on the coarse feature of the speaker, extracting, using the processor of the computer, a plurality of Mel-Frequency Cepstral Coefficients (MFCC) and a plurality of Gaussian Mixture Model (GMM) components from the speech data, determining a biometric signature of the speaker based on the plurality of MFCC and the plurality of GMM components, and determining in real time, using the processor of the computer, an identity of the speaker by comparing the biometric signature of the speaker to one of a plurality of biometric signature libraries associated with the pre-determined speaker cluster.

Abstract: The present invention relates to a method for containing propagation of a malware in a communication network having a plurality of communication nodes.

Abstract: The present invention relates to a method of compressing data in a network, the data comprising a plurality of packets each having a header and a payload, the header comprising a plurality of header fields, the method comprising generating a classification tree based on at least a portion of the plurality of header fields, determining a inter-packet compression plan based on the classification tree, and performing inter-packet compression in real time for each payload of at least a first portion of the plurality of packets, the inter-packet compression being performed according to at least a portion of the inter-packet compression plan.

Abstract: With the widespread adoption of SIP-based VoIP, understanding the characteristics of SIP traffic behavior is critical to problem diagnosis and security protection of VoIP services. A general methodology is provided for profiling SIP-based VoIP traffic behavior at several levels: SIP server host, server entity (e.g., registrar and call proxy) and individual user levels. Using SIP traffic traces captured in a production VoIP network, the characteristics of SIP-based VoIP traffic behavior in an operational environment is illustrated and the effectiveness of the general profiling methodology is demonstrated. In particular, the profiling methodology identifies anomalies due to performance problems and/or implementation flaws through a case study. The efficacy of the methodology in detecting potential VoIP attacks is also demonstrated through a test bed experimentation.

Abstract: The present invention relates to a method of profiling an Internet endpoint associated with an Internet Protocol (IP) address, the method includes generating a profiling rule using an Internet search engine, obtaining a search result by inputting the IP address to the Internet search engine, and classifying the Internet endpoint based on the search result using the profiling rule.

Abstract: The present invention comprises a multi-tier system. Major goals of the system are to 1) clearly visualize BGP dynamics and alert/report important deviation of BGP dynamics to avoid overwhelming the operators with too much information and 2) analyze the root cause of the problems by using a multi-tier approach, with a light-computational analysis and high-level classification for a real-time problem identification followed by a more rigorous off-line analysis for a further and more detailed trouble shooting. An example embodiment is provided that comprises four modules. The first module comprises a distributed family of collectors in charge of collecting real-time network information. The second module filters out non-relevant prefixes and extracts and profiles key features of the network information.

Abstract: Embodiments of the invention provide a framework for traffic classification that bridges the gap between the packet content inspection and the flow-based behavioral analysis techniques. In particular, IP packets and/or IP flows are used as an input, network nodes are associated to specific network applications by leveraging information gathered from the web, and packet-level and/or flow-level signatures are extracted in an off-line fashion using clustering and signature extraction algorithms. The signatures learned are systematically exported to a traffic classifier that uses the newly available signatures to classify applications on-the-fly.

Abstract: A method for performing a network operation is disclosed. The method includes obtaining an association matrix representing association parameters between first entities and second entities of the network, generating a reduced matrix of the association matrix by aggregating the first entities into a reduced number of representative entities, partitioning a set containing the representative entities and the second entities into intermediate co-clusters based on a reduced-matrix based cohesiveness criterion, generating an expanded intermediate co-cluster from an intermediate co-cluster, partitioning the expanded intermediate co-cluster into final co-clusters based on an association-matrix based cohesiveness criterion, generating a profile of network activities based on the final co-clusters, and performing the network operation based on the profile of the network activities.

Abstract: The present invention relates to a method of detecting invalid border gateway protocol (BGP) route in a network, wherein network traffic is routed based at least on BGP announcements from one or more BGP routers, the method comprising obtaining a plurality of routing information objects from the BGP announcements during an observation window, each routing information object comprising at least one selected from a group consisting of an prefix-origin autonomous system (AS) association and a directed AS-link, identifying a transient routing information object having at least one selected from a group consisting of a up time less than a first pre-determined threshold or a lifespan less than a second pre-determined threshold, defining a valid routing information object set by eliminating the transient routing information object from the plurality of routing information objects, and detecting a BGP route from the BGP announcements as invalid based on the valid routing information object set.

Abstract: The invention relates to a method for generating a prefix hijacking alert in a network, wherein a plurality of network traffic flows are routed based at least on a plurality of prefix announcements from one or more Border Gateway Protocol (BGP) router, the method comprises identifying an anomalous prefix from the plurality of prefix announcements, identifying a network traffic anomaly from the plurality of network traffic flows, and correlating the anomalous prefix and the network traffic anomaly to generate the prefix hijacking alert.

Abstract: A method and an apparatus is provided that is efficient in detecting network virus and worms while using only the layer-4 information that is easily extracted from core routers and also be scalable when layer-7 information is available. Entropy analysis is used to identify anomalous activity at the flow level. Thereafter, only the contents of suspicious flows are analyzed with fingerprinting extraction. By doing so, the present invention brings together the characteristics of being deployable for real-time high data to rate links and the efficiency and reliability of content fingerprinting techniques.