Abstract: A network stack includes a packet loss analyzer that distinguishes between packet losses due to congestion and due to lossyness of network connections. The loss analyzer observes the packet loss patterns for comparison with a packet loss model. The packet loss model may be based on a Forward Error Correction (FEC) system. The loss analyzer determines if lost packets could have been recovered by a receiving network device, if FEC had been used. If the lost packets could have been corrected by FEC, the loss analyzer assumes that no network congestion exists and that the packet loss comes from the lossy aspects of the network, such as radio interference for wireless networks. If the loss analyzer determines that some of the lost packet could not have been recovered by the receiving network device, the loss analyzer assumes that network congestion causes these packet losses and reduces the data rate.

Abstract: A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.

Abstract: Serial clustering uses two or more network devices connected in series via a local and/or wide-area network to provide additional capacity when network traffic exceeds the processing capabilities of a single network device. When a first network device reaches its capacity limit, any excess network traffic beyond that limit is passed through the first network device unchanged. A network device connected in series with the first network device intercepts and will process the excess network traffic provided that it has sufficient processing capacity. Additional network devices can process remaining network traffic in a similar manner until all of the excess network traffic has been processed or until there are no more additional network devices. Network devices may use rules to determine how to handle network traffic. Rules may be based on the attributes of received network packets, attributes of the network device, or attributes of the network.