Abstract: Systems and methods are provided for collecting and analyzing packet data flows. A flow collector generates flow data records based on each packet that is observed at one or more network monitoring points. A flow processor receives the flow data records from one or more flow collectors and examines the flow data records to identify related flows. Further features, such as content capture and application identification, are also provided.

Abstract: A security incident manger includes events and network flows in the analysis of an attack to better identify the magnitude of the attack and how to handle the situation. The raw events are reported by monitored devices and the incident manager may request network flows from various devices corresponding to a raw event. The manager then assigns a variable score to the severity, the relevance and the credibility of the event to determine its next processing steps. Those events that appear to be a likely and effective attack are classified as offenses. Offenses are stored in order to provide additional data for evaluating future events and for building a “rap sheet” against repeat attackers and repeat events.

Abstract: A method of simulating network activities includes building a model of the network, the model including data retrieved over a predetermined period of time. The method further includes running a plurality of queries against the model to determine their impacts on the network.

Abstract: A network security system takes an active approach to network security. This is accomplished by providing intelligence about other networks. A master network intelligence database is established that uses a plurality of network information agents for gathering information about networks and providing the information to the master network intelligence database. A customer network security system is then able to secure the customer network in dependence upon information received from the master network intelligence. Security information includes at least one of hostility level on the Internet, collected from numerous sites; security event history; spam levels; hosted services; public wireless; organization type; organization associations; peer ISPs; bandwidth connection to the Internet; active security measures; number of users on the network; age of the network; inappropriate content served; industry; geographic placement; open proxy servers; and contact information.

Abstract: A system for matching a system event to a rule is disclosed. The system includes a computer-readable data structure comprising a plurality of system event rules organizable as a partially ordered set. The system also includes a processor configured to analyze the computer-readable data structure to determine whether an event matches a description set of at least one rule from the plurality of system event rules. Methods and machine-readable mediums are also disclosed.

Abstract: A method of simulating network activities includes building a model of the network, the model including data retrieved over a predetermined period of time. The method further includes running a plurality of queries against the model to determine their impacts on the network.