Abstract: A method for performing a network operation is disclosed. The method includes obtaining an association matrix representing association parameters between first entities and second entities of the network, generating a reduced matrix of the association matrix by aggregating the first entities into a reduced number of representative entities, partitioning a set containing the representative entities and the second entities into intermediate co-clusters based on a reduced-matrix based cohesiveness criterion, generating an expanded intermediate co-cluster from an intermediate co-cluster, partitioning the expanded intermediate co-cluster into final co-clusters based on an association-matrix based cohesiveness criterion, generating a profile of network activities based on the final co-clusters, and performing the network operation based on the profile of the network activities.

Abstract: Embodiments of the invention provide a framework for traffic classification that bridges the gap between the packet content inspection and the flow-based behavioral analysis techniques. In particular, IP packets and/or IP flows are used as an input, network nodes are associated to specific network applications by leveraging information gathered from the web, and packet-level and/or flow-level signatures are extracted in an off-line fashion using clustering and signature extraction algorithms. The signatures learned are systematically exported to a traffic classifier that uses the newly available signatures to classify applications on-the-fly.

Abstract: The present invention comprises a multi-tier system. Major goals of the system are to 1) clearly visualize BGP dynamics and alert/report important deviation of BGP dynamics to avoid overwhelming the operators with too much information and 2) analyze the root cause of the problems by using a multi-tier approach, with a light-computational analysis and high-level classification for a real-time problem identification followed by a more rigorous off-line analysis for a further and more detailed trouble shooting. An example embodiment is provided that comprises four modules. The first module comprises a distributed family of collectors in charge of collecting real-time network information. The second module filters out non-relevant prefixes and extracts and profiles key features of the network information.

Abstract: The present invention relates to a method of detecting invalid border gateway protocol (BGP) route in a network, wherein network traffic is routed based at least on BGP announcements from one or more BGP routers, the method comprising obtaining a plurality of routing information objects from the BGP announcements during an observation window, each routing information object comprising at least one selected from a group consisting of an prefix-origin autonomous system (AS) association and a directed AS-link, identifying a transient routing information object having at least one selected from a group consisting of a up time less than a first pre-determined threshold or a lifespan less than a second pre-determined threshold, defining a valid routing information object set by eliminating the transient routing information object from the plurality of routing information objects, and detecting a BGP route from the BGP announcements as invalid based on the valid routing information object set.

Abstract: The invention relates to a method for generating a prefix hijacking alert in a network, wherein a plurality of network traffic flows are routed based at least on a plurality of prefix announcements from one or more Border Gateway Protocol (BGP) router, the method comprises identifying an anomalous prefix from the plurality of prefix announcements, identifying a network traffic anomaly from the plurality of network traffic flows, and correlating the anomalous prefix and the network traffic anomaly to generate the prefix hijacking alert.

Abstract: The present invention comprises methods for increasing the rank of the routing matrix of an IP network by systematically altering link weights in the IP network. A full rank routing matrix may be used with further methods in accordance with the present invention to estimate the mean traffic of the IP network based upon the full rank routing matrix and measured link utilization values. The mean traffic and the covariance of the traffic may be iteratively estimated until the estimates coverage. Example methods in accordance with the present invention for estimating mean traffic and covariance of traffic are described for both stationary and non-stationary link utilization data.

Abstract: The present invention provides methods for identifying high traffic origin-destination node pairs in a packet based network and for estimating the mean traffic between the high traffic origin-destination node pairs. High traffic origin-destination node pairs may be identified in accordance with the present invention by modeling the variance of traffic in a static routing environment and identifying the origin-destination node pairs with a high variance as high traffic origin-destination node pairs. For estimating purposes, traffic between low traffic origin-destination node pairs may be assumed to be a predetermined value, such as zero, to reduce the number of variables to estimate. Routing changes necessary to create a full rank routing matrix may be identified and applied to the network, and link utilization information collected under each routing scenario may be used to estimate the mean traffic between the high traffic origin-destination node pairs.

Abstract: The present invention provides methods for identifying high traffic origin-destination node pairs in a packet based network and for estimating the mean traffic between the high traffic origin-destination node pairs. High traffic origin-destination node pairs may be identified in accordance with the present invention by modeling the variance of traffic in a static routing environment and identifying the origin-destination node pairs with a high variance as high traffic origin-destination node pairs. For estimating purposes, traffic between low traffic origin-destination node pairs may be assumed to be a predetermined value, such as zero, to reduce the number of variables to estimate. Routing changes necessary to create a full rank routing matrix may be identified and applied to the network, and link utilization information collected under each routing scenario may be used to estimate the mean traffic between the high traffic origin-destination node pairs.

Abstract: A method and an apparatus is provided that is efficient in detecting network virus and worms while using only the layer-4 information that is easily extracted from core routers and also be scalable when layer-7 information is available. Entropy analysis is used to identify anomalous activity at the flow level. Thereafter, only the contents of suspicious flows are analyzed with fingerprinting extraction. By doing so, the present invention brings together the characteristics of being deployable for real-time high data to rate links and the efficiency and reliability of content fingerprinting techniques.

Abstract: A method is provided to classify network traffic flows in real-time using spectral analysis techniques to extract regularities inside the network traffic flows. In one embodiment of the invention, subspace decomposition on power spectral density feature vectors and minimum coding length criterion are utilized for training traffic flows of different classifications. Experimental results are shown to demonstrate the effectiveness and robustness of the invention.

Abstract: A method is provided for identifying an event of network activity associated with a network where the network includes a plurality of interfaces and the method includes providing a first data structure comprising a node, partitioning the plurality of interfaces into a plurality of groups, associating the plurality of groups with the node, providing a vector corresponding to a group of the plurality of groups for representing a summary of the network activity, and identifying an event of network activity according to the vector. Experimental results are shown to demonstrate the effectiveness and robustness of the invention.

Abstract: The present invention relates to a method of managing a network. The method steps includes extracting a signature from a first traffic flow of a plurality of traffic flows on the network based on layer-3/layer-4 information of the first traffic flow, storing the signature and an identification of a layer-7 application associated with the signature in a signature repository, identifying a second traffic flow of the plurality of traffic flows being associated with the layer-7 application by correlating the second traffic flow to the signature, and managing the network based on layer-7 application identification of the plurality of traffic flows.

Abstract: The present invention comprises methods for increasing the rank of the routing matrix of an IP network by systematically altering link weights in the IP network. A full rank routing matrix may be used with further methods in accordance with the present invention to estimate the mean traffic of the IP network based upon the full rank routing matrix and measured link utilization values. The mean traffic and the covariance of the traffic may be iteratively estimated until the estimates coverage. Example methods in accordance with the present invention for estimating mean traffic and covariance of traffic are described for both stationary and non-stationary link utilization data.

Abstract: The present invention efficiently detects various DDoS attacks for large scale Internet with the temporal correlation of traffic flows on the two directions of a single link, the spatial correlation of DDoS attack traffic at different locations and powerful machine learning algorithms. With these techniques, the present invention effectively detects and identifies attack sources without modifying existing IP forwarding mechanisms and without a global upgrade to Internet backbone routers. More importantly, the present invention can detect synchronized DDoS attacks even if the volume of attack traffic is extremely small at the location that is close to the attack source.

Abstract: An important component of network monitoring is to collect traffic data which is a bottleneck due to large data size. We introduce a new table compression method called “Group Compression” to address this problem. This method uses a small training set to learn the relationship among columns and group them; the result is a “compression plan”. Based on this plan, each group is compressed separately. This method can reduce the compressed size to 60%-70% of the IP flow logs compressed by GZIP.

Abstract: A method and system for identifying optimal mapping of logical links to the physical topology of a network is provided. Upon obtaining one or more mapping options for mapping multiple logical links between two or more pairs of network nodes onto physical paths that are as at least relatively disjoint and a priority order of the network node pairs, the mapping options are correlated with the priority order of the network nodes to identify optimal mapping of logical links to the physical topology of a network.

Abstract: With the widespread adoption of SIP-based VoIP, understanding the characteristics of SIP traffic behavior is critical to problem diagnosis and security protection of VoIP services. A general methodology is provided for profiling SIP-based VoIP traffic behavior at several levels: SIP server host, server entity (e.g., registrar and call proxy) and individual user levels. Using SIP traffic traces captured in a production VoIP network, the characteristics of SIP-based VoIP traffic behavior in an operational environment is illustrated and the effectiveness of the general profiling methodology is demonstrated. In particular, the profiling methodology identifies anomalies due to performance problems and/or implementation flaws through a case study. The efficacy of the methodology in detecting potential VoIP attacks is also demonstrated through a test bed experimentation.

Abstract: The present invention includes a method and system for determining link weights that when utilized will optimize the performance of a network in the event of a link failure without the need to alter the link weights. The method includes determining two sets of links, one that includes links with a significant amount of loading and one that includes links with a modest amount of loading. A set of permissible solutions is generated utilizing one randomly chosen link from each set. After omitting recent best permissible solutions, the remaining permissible solutions are evaluated by analyzing for the complete network topology and for the topologies corresponding to all single-link failure states and the best permissible solution is found. If the best permissible solution is better than the current optimal solution, then the best permissible solution is made the optimal solution. These steps are repeated until a predetermined number of iterations have been evaluated without a change in the optimal solution.

Abstract: A system and method for identifying optimal mapping of logical links to the physical topology of a network is provided. Upon obtaining one or more mapping options for mapping multiple logical links between one or more pairs of network nodes onto physical paths that are at least relatively disjoint and obtaining a maximum time delay allowed between the each pair of network nodes, the mapping options are correlated with the maximum time delay to identify optimal mapping of logical links to the physical topology of a network.

Abstract: The present invention comprises methods for increasing the rank of the routing matrix of an IP network by systematically altering link weights in the IP network. A full rank routing matrix may be used with further methods in accordance with the present invention to estimate the mean traffic of the IP network based upon the full rank routing matrix and measured link utilization values. The mean traffic and the covariance of the traffic may be iteratively estimated until the estimates coverage. Example methods in accordance with the present invention for estimating mean traffic and covariance of traffic are described for both stationary and non-stationary link utilization data.