Abstract: A non-transitory computer readable storage medium, comprising executable instructions to collect network traffic data, produce a Fourier signature from the network traffic data, associate the Fourier signature with a known pattern, collect new network traffic data, produce a new Fourier signature from the new network traffic data, compare the new Fourier signature with the Fourier signature to selectively identify a match and associate the new network traffic data with the known pattern upon a match.

Abstract: A non-transitory computer readable storage medium includes executable instructions to identify specified network interactions initiated by a client machine. The specified network interactions are compared to normative values to produce a promiscuity score indicative of the risk of the client machine contracting malicious software. Depending upon the promiscuity score, prophylactic actions are optionally applied to the client machine.

Abstract: An indexing database utilizes a non-transitory storage medium. A pattern matching processing unit generates preclassification data for the network data packets utilizing pattern matching analysis. At least one processing unit implements a storage process that receives the network data packets, stores the network data packets in at least one of the slots, and transfers the network data packets to a packet capture repository when slots in a shared memory are full. A preclassification process requests from the pattern matching processing unit the preclassification data. An indexing process determines, based upon the preclassification data, whether to invoke or omit additional analysis of the network data packets, and performs at least one of aggregation, classification, or annotation of the network data packets in the shared memory to maintain one or more indices in the indexing database.

Abstract: A method, system, and apparatus of network artifact identification and extraction are disclosed. In one embodiment, a method includes aggregating a payload data (e.g., may be a component of the extracted artifact) from different network packets to form an aggregated payload data, matching the payload data with an entry of a library of known artifacts, determining a type of the payload data based on a match with the entry of the library of known artifacts, separating the payload data from a header data in a network packet, and communicating the aggregated payload data as an extracted artifact to a user. The method may include using the extracted artifact to perform network visibility analysis of users on packets flowing across the network. The method may validate that the entry is accurate by performing a deeper analysis of the payload data with the entry of the library of known artifacts.

Abstract: A method of sampling data in a database includes designating permanent read locations in a database. The database is populated with randomly loaded data. The permanent read locations in the database are sampled to form sampled repeatable results attributable to the permanent read locations and the randomly loaded data.

Abstract: A system and method of presentation of an extracted artifact based on an indexing technique are disclosed. In an embodiment, the method includes indexing a database of a captured network characteristic data using a processor and a memory to form an indexed capture data. The method includes enhancing a query response time with the indexed capture data. The method further includes searching the indexed capture data to generate a capture query result. The capture query result includes an extracted artifact. The method also includes graphically presenting the capture query result as at least one of an artifact list and an artifact image.

Abstract: An indexing database utilizes a non-transitory storage medium. A pattern matching processing unit generates preclassification data for the network data packets utilizing pattern matching analysis. At least one processing unit implements a storage process that receives the network data packets, stores the network data packets in at least one of the slots, and transfers the network data packets to a packet capture repository when slots in a shared memory are full. A preclassification process requests from the pattern matching processing unit the preclassification data. An indexing process determines, based upon the preclassification data, whether to invoke or omit additional analysis of the network data packets, and performs at least one of aggregation, classification, or annotation of the network data packets in the shared memory to maintain one or more indices in the indexing database.

Abstract: HTTP layered reconstruction is disclosed. A database is queried to identify a location of a previously reconstructed HTML artifact file or packet data of a HTML file in a repository that stores packet data captured from a network. The reconstructed HTML file is analyzed. Links to external files are identified and the database is queried to identify a location of previously reconstructed artifact files or packet data of associated external files. The external files are reconstructed, as needed. A web page is then reconstructed based on the reconstructed HTML file and reconstructed external files, presenting a view of the web page as it originally appeared to a user. A user may specify which external file types to include and/or not include. New versions of external files may be obtained and indicated in the reconstructed web page when associated artifact files or packet data are not stored within the repository.

Abstract: Methods and a system of capture and regeneration of a network data using a virtual software switch are disclosed. In an embodiment, a method includes capturing a network data using a virtual software switch, a processor, and a memory. The network data is captured to perform a network visibility analysis and the network data is communicated to at least one port of the virtual software switch. The method includes forming a stored network data in a memory. The method also includes regenerating the stored network data to form a reconstructed data.

Abstract: Storing and indexing of high-speed network traffic data is disclosed. In one embodiment, a method of network database maintenance includes sequentially recording in real-time packet header and/or packet content attributes derived from network packets captured and stored in one of a packet capture repository and a file system in database units ordered by arrival of the network packet data. In addition, the method includes indexing each database unit to point to a memory location of the network packet data in one of the packet capture repository and the file system. The method also includes computing a hash value on certain input data and creating index bitmaps on each database unit to facilitate grouping of a similar attributes associated with the network packet data recorded in the database units. The resulting data may then be stored in compressed and/or encrypted formats on a file system for efficiency and security.

Abstract: Methods and a system of method and apparatus for real time identification and recording of artifacts are disclosed. In one embodiment, a method of network database maintenance includes designating a network packet data to be stored in one of a packet capture repository and a file system resident database to indicate an artifact type, a protocol type, an application, a user-definable attribute, and a temporal session duration based on a real-time packet inspection. The method includes grouping the designated packet data in a database including packet data having a similar one of the artifact type, the protocol type, the application, the user-definable attribute and the temporal session duration. In addition, the method of network database maintenance includes indexing the database to point to a memory location of the designated packet data grouped in the database in the packet capture repository.

Abstract: This is invention comprises a method an apparatus for Infinite Network Packet Capture System (INPCS). The INPCS is a high performance data capture recorder capable of capturing and archiving all network traffic present on a single network or multiple networks. This device can be attached to Ethernet networks via copper or SX fiber via either a SPAN port (101) router configuration or via an optical splitter (102). By this method, multiple sources or network traffic including gigabit Ethernet switches (102) may provide parallelized data feeds to the capture appliance (104), effectively increasing collective data capture capacity. Multiple captured streams are merged into a consolidated time indexed capture stream to support asymmetrically routed network traffic as well as other merged streams for external consumption.

Abstract: This is invention comprises a method and apparatus for Infinite Network Packet Capture System (INPCS). The INPCS is a high performance data capture recorder capable of capturing and archiving all network traffic present on a single network or multiple networks. This device can be attached to Ethernet networks via copper or SX fiber via either a SPAN port (101) router configuration or via an optical splitter (102). By this method, multiple sources or network traffic including gigabit Ethernet switches (102) may provide parallelized data feeds to the capture appliance (104), effectively increasing collective data capture capacity. Multiple captured streams are merged into a consolidated time indexed capture stream to support asymmetrically routed network traffic as well as other merged streams for external consumption.

Abstract: This is invention comprises a method and apparatus for Infinite Network Packet Capture System (INPCS). The INPCS is a high performance data capture recorder capable of capturing and archiving all network traffic present on a single network or multiple networks. This device can be attached to Ethernet networks via copper or SX fiber via either a SPAN port (101) router configuration or via an optical splitter (102). By this method, multiple sources or network traffic including gigabit Ethernet switches (102) may provide parallelized data feeds to the capture appliance (104), effectively increasing collective data capture capacity. Multiple captured streams are merged into a consolidated time indexed capture stream to support asymmetrically routed network traffic as well as other merged streams for external consumption.