Abstract: A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.

Abstract: Methods and apparatus are provided for intercepting a client-server communication connection in a computing environment. A first network intermediary configured to facilitate optimization of client-server transactions may be installed in a path of communications between the client and the server. A second network intermediary configured to cooperate with the first network intermediary is not in the path of communications between the client and the server. The first network intermediary intercepts a connection request from the client and forwards a modified request toward the server. A module within the server intercepts the connection request and redirects it to the second network intermediary. The client-server connection is thus split-terminated at the two network intermediaries, which establish cooperative sessions between themselves and with the client and with the server.

Abstract: Some embodiments of the present invention provide systems and methods for detecting anomalies in network traffic. Some embodiments detect anomalies based on time-series activity in network traffic. Upon detection of an anomaly, significant changes can be analyzed to identify abnormal changes in network traffic across different network entities. The identified changes can then be used to determine the cause and the impact of the detected anomaly on the network traffic.

Abstract: In a system where transactions are accelerated with asynchronous writes that require acknowledgements, with pre-acknowledging writes at a source of the writes, a destination-side transaction accelerator includes a queue for queue writes to a destination, at least some of the writes being pre-acknowledged by a source-side transaction accelerator prior to the write completing at the destination, a memory for storing a status of a destination-side queue and possibly other determinants, and logic for signaling to the source-side transaction accelerator with instructions to alter pre-acknowledgement rules to hold off on and pursue pre-acknowledgements based on the destination-side queue status. The rules can take into account adjusting the flow of pre-acknowledged requests or pre-acknowledgements at the sender-side transaction accelerator based at least on the computed logical length.

Abstract: Protocol acceleration is performed between clients and servers over a network wherein transport connections are established between clients/servers and/or their proxies for acceleration of traffic that uses certain protocols. A first transport connection for a first application protocol and a second transport connection for a second application protocol can be made between two proxies, wherein a client-side proxy is in communication with a client and a server-side proxy is in communication with a server, and the proxies use information from message payloads flowing between the client device and the server device over the first transport connection for acceleration of traffic over the second transport connection. Examples of transport protocols include a file server protocol and a storage access protocol. Cross-protocol acceleration can be expanded so that information obtained for one client on one protocol can be used to accelerate traffic for another client with the same or different protocol.

Abstract: Methods, systems, and apparatus provide efficient and flexible networking quality of service as well as transport protocol design. A hybrid transport/network quality of service (HTNQ) scheme improves the performance of TCP over specific links or network paths that are subject to high latency, a high bandwidth-delay product, high packet loss, and/or bit errors. A callback mechanism can be used between a packet scheduler and a transport module to control the transmission rate of packets across one or more connections or links.

Abstract: A network stack includes a packet loss analyzer that distinguishes between packet losses due to congestion and due to lossyness of network connections. The loss analyzer observes the packet loss patterns for comparison with a packet loss model. The packet loss model may be based on a Forward Error Correction (FEC) system. The loss analyzer determines if lost packets could have been recovered by a receiving network device, if FEC had been used. If the lost packets could have been corrected by FEC, the loss analyzer assumes that no network congestion exists and that the packet loss comes from the lossy aspects of the network, such as radio interference for wireless networks. If the loss analyzer determines that some of the lost packet could not have been recovered by the receiving network device, the loss analyzer assumes that network congestion causes these packet losses and reduces the data rate.

Abstract: Two or more network traffic processors connected with the same LAN and WAN are identified as neighbors. Neighboring network traffic processors cooperate to overcome asymmetric routing, thereby ensuring that related sequences of network traffic are processed by the same network proxy. A network proxy can be included in a network traffic processor or as a standalone unit. A network traffic processor that intercepts a new connection initiation by a client assigns a network proxy to handle all messages associated with that connection. The network traffic processor conveys connection information to neighboring network traffic processors. The neighboring network traffic processors use the connection information to redirect network traffic associated with the connection to the assigned network proxy, thereby overcoming the effects of asymmetric routing. The assigned network proxy handles redirected network traffic in much the same way that it would handle network traffic received directly.

Abstract: A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.

Abstract: In address-manipulation enabled transaction accelerators, the transaction accelerators include outer-connection addressing information in packets emitted over an inner connection between transaction accelerators and inner-connection addressing information is added in packets sent over the inner connection. The inner-connection addressing information can be carried in TCP option fields, directly in other fields, or indirectly through data structures maintained by the endpoints processing the connection. Address information can be encoded into header fields originally intended for other purposes but that are unused or encoded into used fields, overlaid in combination with other data that is being carried in those used fields. The existence of inner-connection addressing information in a packet can be signaled by a flag in the packet, by a bit or other designated encoding. The flag can be in an unused header field or overlaid.

Abstract: Network traffic is monitored and an optimal framing heuristic is automatically determined and applied. Framing heuristics specify different rules for framing network traffic. While a framing heuristic is applied to the network traffic, alternative framing heuristics are speculatively evaluated for the network traffic. The results of these evaluations are used to rank the framing heuristics. The framing heuristic with the best rank is selected for framing subsequent network traffic. Each client/server traffic flow may have a separate framing heuristic. The framing heuristics may be deterministic based on byte count and/or time or based on traffic characteristics that indicate a plausible point for framing to occur.

Abstract: A method and apparatus are provided for split-terminating a secure client-server communication connection, with client authentication. During handshaking between the client and the server, cooperating network intermediaries relay the handshaking messages, without altering the messages. At least one of the intermediaries possesses a private key of the server, and extracts a set of data fields from the handshaking messages, including a Client-Key-Exchange message that can be decrypted with the private key. The intermediary uses the extracted data to compute the client-server session key separate from the client's and the server's similar computation, and may transmit the key to the other intermediary via a secure communication channel. The client and the server thus establish the end-to-end client-server connection, and may authenticate each other, after which the network intermediaries may intercept and optimize the client-server communications transparently to the client and the server.

Abstract: A traffic manager (121-124) for, and a method of, routing network traffic to a plurality of server computers (131-138). The traffic manager includes a network interface (204) and a processor (201). The processor is configured to receive network traffic comprising a request (701 ,702) from a client computer (102-105) via the network interface. The processor is configured to then identify, based on attributes of the request, a server computer that is responsible for servicing the request (a responsible server). The processor is configured to then route the request to the responsible server using the network interface.

Abstract: Proxy devices associate their direct connection with a client/server connection passing through one or more NAT devices. First proxy device receives a network connection request from a client. First proxy device stores connection information in association with a connection identifier. Connection information may reflect the usage of NAT devices between the two proxy devices. First proxy device sends a connection response including the connection identifier to the client. Second proxy device sends a direct connection request to first proxy device to establish a direct connection. Direct connection request includes the connection identifier, which is used by first proxy device to associate the direct connection with stored connection information. First proxy device may use the connection information to direct network traffic received via this direct connection to the correct destination and to divert network traffic from the server to the client through the direct connection and first and second proxy devices.

Abstract: Access to compound data over a wide-area network is optimized by analyzing metadata within compound data to identify internal and external data streams to be prefetched. Upon receiving or intercepting a network packet including an access request for a data resource, metadata in this data resource is analyzed to identify associated data streams and their storage locations within and/or outside of the data resource. Data streams may be proactively or reactively prefetched. Proactive prefetching identifies and retrieves data streams or portions thereof likely to be accessed by a client based on attributes associated with the data resource. Reactive prefetching identifies portions of data streams associated with received access requests and retrieves additional portions of these data streams. Prefetched data streams or portions thereof are stored in a data storage on the same local network or near to the local network including the client.

Abstract: A system and method for managing data is provided. The system includes a network for interconnecting a plurality of computers. A data storage means is connected to the network to receive, store and transmit a plurality of files to and from the network. A plurality of computers is also connected to the network. Each computer is configured for originating and for receiving files. Each of the files has a unique identifier associated therewith. Each computer may retrieve a file from the data storage means using the unique identifier.

Abstract: Serial clustering uses two or more network devices connected in series via a local and/or wide-area network to provide additional capacity when network traffic exceeds the processing capabilities of a single network device. When a first network device reaches its capacity limit, any excess network traffic beyond that limit is passed through the first network device unchanged. A network device connected in series with the first network device intercepts and will process the excess network traffic provided that it has sufficient processing capacity. Additional network devices can process remaining network traffic in a similar manner until all of the excess network traffic has been processed or until there are no more additional network devices. Network devices may use rules to determine how to handle network traffic. Rules may be based on the attributes of received network packets, attributes of the network device, or attributes of the network.

Abstract: Network traffic information from multiple sources, at multiple time scales, and at multiple levels of detail are integrated so that users may more easily identify relevant network information. The network monitoring system stores and manipulates low-level and higher-level network traffic data separately to enable efficient data collection and storage. Packet traffic data is collected, stored, and analyzed at multiple locations. The network monitoring locations communicate summary and aggregate data to central modules, which combine this data to provide an end-to-end description of network traffic at coarser time scales. The network monitoring system enables users to zoom in on high-level, coarse time scale network performance data to one or more lower levels of network performance data at finer time scales.

Abstract: Network traffic information from multiple sources, at multiple time scales, and at multiple levels of detail are integrated so that users may more easily identify relevant network information. The network monitoring system stores and manipulates low-level and higher-level network traffic data separately to enable efficient data collection and storage. Packet traffic data is collected, stored, and analyzed at multiple locations. The network monitoring locations communicate summary and aggregate data to central modules, which combine this data to provide an end-to-end description of network traffic at coarser time scales. The network monitoring system enables users to zoom in on high-level, coarse time scale network performance data to one or more lower levels of network performance data at finer time scales.

Abstract: Self-discovering transaction accelerators improve communications between a client and a server. A client directs a message to a server. A client-side transaction accelerator intercepts the message, terminates the connection with the client, and accelerates the request by replacing segments of data with references. The accelerated request is forwarded to a server-side transaction accelerator through a new connection. The server-side transaction accelerator reconstructs the message by replacing the reference with segment data in a persistent segment store accessible to the server-side transaction accelerator. The reconstructed request is then provided to the server. Accelerations may occur in any direction of communication. Persistent segment stores can be pre-populated with segment data from other transaction accelerators and anticipated transactions.