Abstract: A method for determination of a network topology includes generating a list of device sets for a destination; removing any duplicate device sets from the list; creating a tree for the destination by introducing a root node into the tree; sorting the list of device sets for the destination by length; removing the shortest device set from the list; introducing a new node representing the shortest device set into the tree; determining whether a node in the tree represents a maximum length subset of the shortest device set, and in the event that a node is determined, connecting the new node to the determined node, or else connecting the new node to the root node; setting the identifier of the introduced node to a list of members of the shortest device set that are not included in the maximum length subset of the determined node.

Abstract: The invention relates to an apparatus for analysing a network flow, comprising—a parser for extracting flow identification information from the network flow, —a flow metering unit for metering the network flow, —a programmable controller for controlling the flow metering unit and the parser.

Abstract: A system and method for monitoring packetized traffic flow in a network and enabling approximation of the rate information of a network flow. The method for monitoring network traffic flow includes receiving, at a network packet flow collector device, packetized traffic flow signals to be monitored; sampling said received packetized traffic flow signals in time to form an approximation of the packet flow rate in time; generating packet flow activity data comprising data representing the sampled traffic flow signals sampled in time; communicating the packet flow activity data to a network packet flow analyzer device and processing the flow activity data to form signals representing an approximate version of the network traffic flow in the network, the analyzer processing the traffic flow signals for reconstructing the rate of the netflow as a function of time.

Abstract: A method for probabilistic lossy counting includes: for each element in a current window, determining whether an entry corresponding to a current element is present in a table; in the event an entry corresponding to the current element is present in the table, incrementing a frequency counter associated with the current element; otherwise, inserting an entry into a table, wherein inserting an entry comprises: calculating a probabilistic error bound ? based on an index i of the current window; and inserting the probabilistic error bound ? and a frequency counter into an entry corresponding to the current element in the table; and at the end of the current window, removing all elements from the table wherein the sum of the frequency counter and probabilistic error bound ? associated with the element is less than or equal to the index of the current window.

Abstract: Methods, systems and computer program products for detecting flow-level network traffic anomalies via abstraction levels. An exemplary embodiment includes a method for detecting flow-level network traffic anomalies in a computer network, the method including obtaining current distributions of flow level traffic features within the computer network, computing distances of the current distributions' components from a distributions model, comparing the distances of the current distributions to distance baselines from the distributions model, determining if the distances are above a pre-determined thresholds and in response to one or more of the distances being above the pre-determined thresholds in one or more distributions, identifying the current condition to be abnormal and providing indications to its nature.

Abstract: Network flow records from various administrative domains are provided to a network monitoring entity. The network monitoring entity analyzes the network flow records in a way to locate a source of malicious network flow.

Abstract: Systems, methods, and computer program products for extracting port-level information of Web services with flow-based network monitoring. Exemplary embodiments include a method for extracting port-level information of Web services with flow-based network monitoring, the method including identifying a registry machine, coupling the registry machine to a traffic meter and flow monitor dynamically configuring the traffic meter, including exporting a first n bytes of a traffic payload exporting a sub-second traffic flow start and end times, extracting service provider information from traffic flow exports, including analyzing the exported n bytes of the traffic payload to extract port-level information at the flow monitor, extracting a value of an access point element, mapping a logical service provider address to a physical address and inserting the service into a Web Service Provider Registry within the flow meter, thereby populating the Web Service Provider Registry.

Abstract: A method of calculating a valley-free shortest path between two autonomous systems having a first graph representing an autonomous system topology and comprising a plurality of nodes and a plurality of links interconnecting the nodes, each link linking a first and a second node of the plurality of nodes. The method comprises generating a second graph using the first graph by: Mapping the nodes of the first graph into the second graph, by representing each node of the first graph by a respective uphill node and a downhill node; mapping each link of the first, second and third relationship type with a plurality of directed links between the uphill and downhill nodes according to the type of relationship. The method further comprises calculating the shortest-path route between two autonomous systems on the second graph, using the shortest-path routing algorithm.

Abstract: The present invention provides a system and method for time-series with compression accuracy as a function of time. Briefly described, in architecture, one embodiment of the system, among others, can be implemented as follows. The system includes a computer with a processor. The system performs a method receiving a data set on the computer, utilizing a plurality of filter banks to transform the data set into a plurality coefficients, wherein each coefficient is associated with a basis function, and quantizing the plurality of coefficients, wherein the quantization maps the plurality of coefficients into certain value ranges. Then, system further performs determining a threshold based upon each coefficient effect on a time domain, disregarding the coefficient that fall below the threshold, and storing any remaining coefficients as compressed data for the data set.

Abstract: This invention provides methods, apparatus, and systems for decompressing electronic documents. Utility of this invention includes use in validation and parsing of compressed XML documents. An example data processing method comprises receiving a compressed electronic document, decompressing the document and executing an analysis of the document during the decompression. The analysis determines whether the document conforms to defined syntax rules. In one example, a compressed XML document, while it is being decompressed, following receipt, will be parsed and/or validated at the same time.

Abstract: A medium and system for managing asynchronous transfer mode (ATM) traffic in a computer system is disclosed. The computer system is used in sending, receiving, or sending and receiving a plurality of ATM flows. Each ATM flow has a plurality of ATM cells, a minimum ATM bandwidth guarantee, and a maximum ATM bandwidth. The medium and system include determining whether excess bandwidth exists for the ATM flows. The method and system also include gracefully increasing a portion of the ATM cells transmitted for each ATM flow during periods of excess bandwidth. The portion of the ATM cells transmitted is not more than the maximum ATM bandwidth limit. If an ATM flow presents a sufficient offered load, the portion of the ATM cells transmitted in the flow is not less than a minimum ATM bandwidth guarantee.

Abstract: A method and system for transmitting packets in a packet switching network. Packets received by a packet processor may be prioritized based on the urgency to process them. Packets that are urgent to be processed may be referred to as real-time packets. Packets that are not urgent to be processed may be referred to as non-real-time packets. Real-time packets have a higher priority to be processed than non-real-time packets. A real-time packet may either be discarded or transmitted into a real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time queue congestion conditions. A non-real-time packet may either be discarded or transmitted into a non-real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time and non-real-time queue congestion conditions.

Abstract: A method and system for transmitting packets in a packet switching network. Packets received by a packet processor may be prioritized based on the urgency to process them. Packets that are urgent to be processed may be referred to as real-time packets. Packets that are not urgent to be processed may be referred to as non-real-time packets. Real-time packets have a higher priority to be processed than non-real-time packets. A real-time packet may either be discarded or transmitted into a real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time queue congestion conditions. A non-real-time packet may either be discarded or transmitted into a non-real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time and non-real-time queue congestion conditions.

Abstract: Methods and apparatus are provided for metering data packets having a plurality of different packet lengths in a data communications network. A token count TC is incremented at a token increment rate CIR subject to an upper limit CBS on the token count. On arrival of a packet of length L tokens, it is determined if both TC>0 and TC+n?L, where n is a defined number of tokens. If so, the data packet is categorized as in profile and L tokens are subtracted from the token count TC. Otherwise the data packet is categorized out of profile. In some embodiments, n is set to a value in the range 0<n<(Lmax?1) where Lmax is the maximum length of data packets to be metered. In other embodiments, n is varied in the range 0?n?(Lmax?1) in dependence on at least one feedback signal indicating an operational condition in the network. The degree of conformance of the metering system is determined by the parameter n, whereby the conformance level can be tuned to particular multi-length packet environments.

Abstract: A method and system for managing asynchronous transfer mode (ATM) traffic in a computer system is disclosed. The computer system is used in sending, receiving, or sending and receiving a plurality of ATM flows. Each ATM flow has a plurality of ATM cells, a minimum ATM bandwidth guarantee, and a maximum ATM bandwidth. The method and system include determining whether excess bandwidth exists for the ATM flows. The method and system also include gracefully increasing a portion of the ATM cells transmitted for each ATM flow during periods of excess bandwidth. The portion of the ATM cells transmitted is not more than the maximum ATM bandwidth limit. If an ATM flow presents a sufficient offered load, the portion of the ATM cells transmitted in the flow is not less than a minimum ATM bandwidth guarantee.

Abstract: Methods and apparatus are provided for metering data packets having a plurality of different packet lengths in a data communications network. A token count TC is incremented at a token increment rate CIR subject to an upper limit CBS on the token count. On arrival of a packet of length L tokens, it is determined if both TC>0 and TC+n?L, where n is a defined number of tokens. If so, the data packet is categorized as in profile and L tokens are subtracted from the token count TC. Otherwise the data packet is categorized out of profile. In some embodiments, n is set to a value in the range 0<n<(Lmax?1) where Lmax is the maximum length of data packets to be metered. In other embodiments, n is varied in the range 0?n?(Lmax?1) in dependence on at least one feedback signal indicating an operational condition in the network. The degree of conformance of the metering system is determined by the parameter n, whereby the conformance level can be tuned to particular multi-length packet environments.

Abstract: A method and system for managing asynchronous transfer mode (ATM) traffic in a computer system is disclosed. The computer system is used in sending, receiving, or sending and receiving a plurality of ATM flows. Each ATM flow has a plurality of ATM cells, a minimum ATM bandwidth guarantee, and a maximum ATM bandwidth. The method and system include determining whether excess bandwidth exists for the ATM flows. The method and system also include gracefully increasing a portion of the ATM cells transmitted for each ATM flow during periods of excess bandwidth. The portion of the ATM cells transmitted is not more than the maximum ATM bandwidth limit. If an ATM flow presents a sufficient offered load, the portion of the ATM cells transmitted in the flow is not less than a minimum ATM bandwidth guarantee.

Abstract: Methods and apparatus are provided for managing a data packet queue corresponding to a resource of a network device. A token count TC is maintained for a predefined flow of data packets, and the transmission of packets in the flow into the queue is controlled in dependence on this token count. The token count is decremented when packets in the flow are transmitted into the queue, and the token count is incremented at a token increment rate C. A bandwidth indicator, indicative of bandwidth availability in the resource, is monitored, and the token increment rate C is varied in dependence on this bandwidth indicator. The bandwidth-dependent variation of the token increment rate C is such that, when available bandwidth is indicated, the increment rate C is increased, and when no available bandwidth is indicated the increment rate C is decreased.

Abstract: Methods and apparatus are provided for controlling flow rates of a plurality of data packet flows into a queue 4 corresponding to a resource 3 of a network device 1. The flows comprise a set 7 of non-responsive flows, and a set 8 of other flows which may comprise responsive flows and/or flows whose responsiveness is unknown. The flow rates are managed in accordance with a queue management scheme such that adjustments are made to each flow rate in dependence on excess bandwidth in the resource, the amounts of the adjustments being dependent on one or more adjustment parameters for each flow. An error signal is generated based on the deviation from a desired allocation ratio of the ratio of the total flow rates into the queue 4 for the sets of flows 7, 8. At least one adjustment parameter for at least one flow is then varied in dependence on the error signal in such a manner as to reduce the aforementioned deviation.

Abstract: For determining a malicious workload pattern, the following steps are conducted. A training set of workload patterns is collected during a predetermined workload situation. A subset of the training set is being determined as an archetype set, the archetype set being considered to be representative of the predetermined workload situation. A threshold value dependent on the training set and the archetype set, and an evaluation value dependent on a given workload pattern and the archetype set are calculated. The given workload pattern is determined to be malicious if the evaluation value fulfils a given condition with respect to the threshold value.