Abstract: A method is provided to classify network traffic flows in real-time using spectral analysis techniques to extract regularities inside the network traffic flows. In one embodiment of the invention, subspace decomposition on power spectral density feature vectors and minimum coding length criterion are utilized for training traffic flows of different classifications. Experimental results are shown to demonstrate the effectiveness and robustness of the invention.

Abstract: A method is provided for identifying an event of network activity associated with a network where the network includes a plurality of interfaces and the method includes providing a first data structure comprising a node, partitioning the plurality of interfaces into a plurality of groups, associating the plurality of groups with the node, providing a vector corresponding to a group of the plurality of groups for representing a summary of the network activity, and identifying an event of network activity according to the vector. Experimental results are shown to demonstrate the effectiveness and robustness of the invention.

Abstract: The present invention relates to a method of managing a network. The method steps includes extracting a signature from a first traffic flow of a plurality of traffic flows on the network based on layer-3/layer-4 information of the first traffic flow, storing the signature and an identification of a layer-7 application associated with the signature in a signature repository, identifying a second traffic flow of the plurality of traffic flows being associated with the layer-7 application by correlating the second traffic flow to the signature, and managing the network based on layer-7 application identification of the plurality of traffic flows.

Abstract: A transport protocol data flow reconstruction method delays determination that a missing packet is lost for a period of time. For an evaluated TCP packet in a first direction, the method determines if a TCP packet is missing in a second direction, in which case the method stores the evaluated TCP packet in a list and creates an acknowledgement timer indicating a maximum time to wait until treating the missing TCP packet as lost. Expiration of the acknowledgment timer indicates a missing packet in the second direction. The method determines if a TCP packet is missing in the first direction, in which case the method stores the evaluated TCP packet in the list and creates a retransmission timer indicating a maximum time to wait until treating the missing TCP packet as lost. Expiration of the retransmission timer indicates a missing packet in the first direction.

Abstract: The popularity of web pages is monitored and used to rank the web pages retrieved in response to an Internet search. The popularity of a web page is proportionate to the number of visits to that web page. Web pages with greater popularity are ranked higher in priority. Furthermore, the score of a first web page is propagated to a plurality of second web pages to which the first web page is linked substantially in relative proportion to the popularity of the links from the first web page to each of the second web pages. Monitoring devices monitor TCP packets traversing the Internet and extract information from the TCP packets, such as the requested URI or URL, the client IP address, a server IP address and a server host name, and a referrer URI, if any. The extracted information is forwarded to a processing module that keeps track of the popularity of the web pages.

Abstract: The present invention efficiently detects various DDoS attacks for large scale Internet with the temporal correlation of traffic flows on the two directions of a single link, the spatial correlation of DDoS attack traffic at different locations and powerful machine learning algorithms. With these techniques, the present invention effectively detects and identifies attack sources without modifying existing IP forwarding mechanisms and without a global upgrade to Internet backbone routers. More importantly, the present invention can detect synchronized DDoS attacks even if the volume of attack traffic is extremely small at the location that is close to the attack source.

Abstract: An important component of network monitoring is to collect traffic data which is a bottleneck due to large data size. We introduce a new table compression method called “Group Compression” to address this problem. This method uses a small training set to learn the relationship among columns and group them; the result is a “compression plan”. Based on this plan, each group is compressed separately. This method can reduce the compressed size to 60%-70% of the IP flow logs compressed by GZIP.

Abstract: With the widespread adoption of SIP-based VoIP, understanding the characteristics of SIP traffic behavior is critical to problem diagnosis and security protection of VoIP services. A general methodology is provided for profiling SIP-based VoIP traffic behavior at several levels: SIP server host, server entity (e.g., registrar and call proxy) and individual user levels. Using SIP traffic traces captured in a production VoIP network, the characteristics of SIP-based VoIP traffic behavior in an operational environment is illustrated and the effectiveness of the general profiling methodology is demonstrated. In particular, the profiling methodology identifies anomalies due to performance problems and/or implementation flaws through a case study. The efficacy of the methodology in detecting potential VoIP attacks is also demonstrated through a test bed experimentation.

Abstract: A transport protocol data flow reconstruction method delays determination that a missing packet is lost for a period of time. For an evaluated TCP packet in a first direction, the method determines if a TCP packet is missing in a second direction, in which case the method stores the evaluated TCP packet in a list and creates an acknowledgement timer indicating a maximum time to wait until treating the missing TCP packet as lost. Expiration of the acknowledgment timer indicates a missing packet in the second direction. The method determines if a TCP packet is missing in the first direction, in which case the method stores the evaluated TCP packet in the list and creates a retransmission timer indicating a maximum time to wait until treating the missing TCP packet as lost. Expiration of the retransmission timer indicates a missing packet in the first direction.

Abstract: A transport protocol data flow reconstruction method delays determination that a missing packet is lost for a period of time. For an evaluated TCP packet in a first direction, the method determines if a TCP packet is missing in a second direction, in which case the method stores the evaluated TCP packet in a list and creates an acknowledgement timer indicating a maximum time to wait until treating the missing TCP packet as lost. Expiration of the acknowledgment timer indicates a missing packet in the second direction. The method determines if a TCP packet is missing in the first direction, in which case the method stores the evaluated TCP packet in the list and creates a retransmission timer indicating a maximum time to wait until treating the missing TCP packet as lost. Expiration of the retransmission timer indicates a missing packet in the first direction.

Abstract: A method and apparatus are disclosed for providing additional information, such as advertisements, to a client device via the response signal to an application (or web) server request. A client device is in communication with a server device, and sends a request for information to the server via a network connection. A device is associated with the network connection that detects and analyzes the signals being exchanged. The device would likely be associated with a point-of-presence to an Internet connection, for an ISP or the like. The associated device sends an appropriately timed reset signal to the server device that prevents the server device from further responding to signals subsequently received from the client device. The associated device sends, in response to the web server request, a response signal to the client device. The response signal provides additional information, along with the originally requested web server material.