Abstract: Facilitating web page spectroscopy in a communications network is provided herein. A system can comprise a processor and a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations. The operations can comprise receiving first data that describes a first communication packet flow and second data that describes a second communication packet flow. The operations can also comprise training a model based on the first data and the second data, as a result of which the model is trained to detect respective behaviors represented by the first data and the second. Further, the operations can comprise extracting a common parameter from third data that describes a third communication packet flow and fourth data that describes a fourth communication packet flow based on the model.

Abstract: In one example, a processor may receive network traffic from a demultiplexer via a first network interface card and place portions of the network traffic into a plurality of hash buckets. The processor may further process a first portion of the portions of the network traffic in at least a first hash bucket of the plurality of hash buckets and forward a second portion of the portions of the network traffic in at least a second hash bucket of the plurality of hash buckets to a switch via a second network interface card. In one example, the switch distributes the second portion of the network traffic to one of a plurality of overflow probes. In one example, the plurality of overflow probes comprises a network function virtualization infrastructure for processing the second portion of the network traffic.

Abstract: In one example, a processing system including at least one processor may obtain a first packet, determine a first tunnel identifier from a tunnel identifier field and a first source port identifier from a source port identifier field of the header of the first packet, and assign the first packet to a first flow. The processing system may further obtain a second packet, extract a first value from a tunnel identifier field and a second value from a source port identifier field of a header of the second packet, determine that the first value matches the first tunnel identifier and that the second value matches the first source port identifier, and assign the second packet to the first flow in response to the determining that the first value matches the first tunnel identifier and that the second value matches the first source port identifier.

Abstract: In one example, a processing system including at least one processor may obtain a first packet, determine a first tunnel identifier from a tunnel identifier field and a first source port identifier from a source port identifier field of the header of the first packet, and assign the first packet to a first flow. The processing system may further obtain a second packet, extract a first value from a tunnel identifier field and a second value from a source port identifier field of a header of the second packet, determine that the first value matches the first tunnel identifier and that the second value matches the first source port identifier, and assign the second packet to the first flow in response to the determining that the first value matches the first tunnel identifier and that the second value matches the first source port identifier.

Abstract: In one example, the present disclosure describes a device, computer-readable medium, and method for extracting data from encrypted packet flows. For instance, in one example, a method includes detecting a data packet that belongs to an encrypted data flow traversing a network, determining whether the encrypted data flow is a new encrypted data flow or an existing encrypted data flow, based on an inspection of payloads of data packets belonging to the encrypted data flow for evidence of a transport control protocol handshake, forwarding the data packet to a first server pool that will truncate the data packet, when the encrypted data flow is an existing encrypted data flow, and forwarding the data packet to a second server pool that will inspect a payload of the data packet for a secure sockets layer certificate, when the encrypted data flow is a new encrypted data flow.

Abstract: In one example, the present disclosure describes a device, computer-readable medium, and method for organizing terabit-scale packet volumes into flows for downstream processing stages. For instance, in one example, a method includes extracting a first flow key from a first data packet, inputting the first flow key into a hash function to obtain a first output value, selecting a first partition in a memory to which to store the first data packet, wherein the first partition is selected based on the first output value, and storing the first data packet to the first partition.

Abstract: In one example, the present disclosure describes a device, computer-readable medium, and method for organizing terabit-scale packet volumes into flows for downstream processing stages. For instance, in one example, a method includes extracting a first flow key from a first data packet, inputting the first flow key into a hash function to obtain a first output value, selecting a first partition in a memory to which to store the first data packet, wherein the first partition is selected based on the first output value, and storing the first data packet to the first partition.

Abstract: The present disclosure describes a device, computer-readable medium, and method for using singular group actions in a network to train a machine learning system. In one example, the method includes detecting a singular group action in data traversing a telecommunication service provider network, wherein the singular group action is characterized by multiple customers of the network performing a same action with their respective computing devices within a defined window of time while the multiple customers are within a threshold physical proximity to each other, labeling a subset of the data that is associated with the singular group action to generate labeled training data, and training a machine learning system using the labeled training data.

Abstract: In one example, a processor may receive network traffic from a demultiplexer via a first network interface card and place portions of the network traffic into a plurality of hash buckets. The processor may further process a first portion of the portions of the network traffic in at least a first hash bucket of the plurality of hash buckets and forward a second portion of the portions of the network traffic in at least a second hash bucket of the plurality of hash buckets to a switch via a second network interface card. In one example, the switch distributes the second portion of the network traffic to one of a plurality of overflow probes. In one example, the plurality of overflow probes comprises a network function virtualization infrastructure for processing the second portion of the network traffic.

Abstract: In one example, a processor may receive network traffic from a demultiplexer via a first network interface card and place portions of the network traffic into a plurality of hash buckets. The processor may further process a first portion of the portions of the network traffic in at least a first hash bucket of the plurality of hash buckets and forward a second portion of the portions of the network traffic in at least a second hash bucket of the plurality of hash buckets to a switch via a second network interface card. In one example, the switch distributes the second portion of the network traffic to one of a plurality of overflow probes. In one example, the plurality of overflow probes comprises a network function virtualization infrastructure for processing the second portion of the network traffic.

Abstract: Facilitating web page spectroscopy in a communications network is provided herein. A system can comprise a processor and a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations. The operations can comprise receiving first data that describes a first communication packet flow and second data that describes a second communication packet flow. The operations can also comprise training a model based on the first data and the second data, as a result of which the model is trained to detect respective behaviors represented by the first data and the second. Further, the operations can comprise extracting a common parameter from third data that describes a third communication packet flow and fourth data that describes a fourth communication packet flow based on the model.

Abstract: Facilitating web page spectroscopy in a communications network is provided herein. A system can comprise a processor and a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations. The operations can comprise receiving first data that describes a first communication packet flow and second data that describes a second communication packet flow. The operations can also comprise training a model based on the first data and the second data, as a result of which the model is trained to detect respective behaviors represented by the first data and the second. Further, the operations can comprise extracting a common parameter from third data that describes a third communication packet flow and fourth data that describes a fourth communication packet flow based on the model.

Abstract: In one example, the present disclosure describes a device, computer-readable medium, and method for organizing terabit-scale packet volumes into flows for downstream processing stages. For instance, in one example, a method includes extracting a first flow key from a first data packet, inputting the first flow key into a hash function to obtain a first output value, selecting a first partition in a memory to which to store the first data packet, wherein the first partition is selected based on the first output value, and storing the first data packet to the first partition.

Abstract: In one example, a processing system including at least one processor may obtain a first packet, determine a first tunnel identifier from a tunnel identifier field and a first source port identifier from a source port identifier field of the header of the first packet, and assign the first packet to a first flow. The processing system may further obtain a second packet, extract a first value from a tunnel identifier field and a second value from a source port identifier field of a header of the second packet, determine that the first value matches the first tunnel identifier and that the second value matches the first source port identifier, and assign the second packet to the first flow in response to the determining that the first value matches the first tunnel identifier and that the second value matches the first source port identifier.

Abstract: In one example, the present disclosure describes a device, computer-readable medium, and method for extracting data from encrypted packet flows. For instance, in one example, a method includes detecting a data packet that belongs to an encrypted data flow traversing a network, determining whether the encrypted data flow is a new encrypted data flow or an existing encrypted data flow, based on an inspection of payloads of data packets belonging to the encrypted data flow for evidence of a transport control protocol handshake, forwarding the data packet to a first server pool that will truncate the data packet, when the encrypted data flow is an existing encrypted data flow, and forwarding the data packet to a second server pool that will inspect a payload of the data packet for a secure sockets layer certificate, when the encrypted data flow is a new encrypted data flow.

Abstract: In one example, the present disclosure describes a device, computer-readable medium, and method for organizing terabit-scale packet volumes into flows for downstream processing stages. For instance, in one example, a method includes extracting a first flow key from a first data packet, inputting the first flow key into a hash function to obtain a first output value, selecting a first partition in a memory to which to store the first data packet, wherein the first partition is selected based on the first output value, and storing the first data packet to the first partition.

Abstract: A processor may apply data blocks of a training data set to a pattern matching algorithm to identify whether the data blocks match a pattern, determine points of divergence between the data blocks and the pattern, count a number of times that each of a plurality of positions in the pattern is determined to be a point of divergence, and determine a position with a highest count of a number of times that the position is determined to be a point of divergence. The processor may further receive an incoming data block, compare a data value at the position in the pattern with the highest count to a data value at a corresponding position in the incoming data block, and determine a mismatch when the data value at the position in the pattern and the data value at the corresponding position in the incoming data block are different.

Abstract: In one example, the present disclosure describes a device, computer-readable medium, and method for extracting data from encrypted packet flows. For instance, in one example, a method includes detecting a data packet that belongs to an encrypted data flow traversing a network, determining whether the encrypted data flow is a new encrypted data flow or an existing encrypted data flow, based on an inspection of payloads of data packets belonging to the encrypted data flow for evidence of a transport control protocol handshake, forwarding the data packet to a first server pool that will truncate the data packet, when the encrypted data flow is an existing encrypted data flow, and forwarding the data packet to a second server pool that will inspect a payload of the data packet for a secure sockets layer certificate, when the encrypted data flow is a new encrypted data flow.

Abstract: The present disclosure describes a device, computer-readable medium, and method for using singular group actions in a network to train a machine learning system. In one example, the method includes detecting a singular group action in data traversing a telecommunication service provider network, wherein the singular group action is characterized by multiple customers of the network performing a same action with their respective computing devices within a defined window of time while the multiple customers are within a threshold physical proximity to each other, labeling a subset of the data that is associated with the singular group action to generate labeled training data, and training a machine learning system using the labeled training data.

Abstract: A processor may apply data blocks of a training data set to a pattern matching algorithm to identify whether the data blocks match a pattern, determine points of divergence between the data blocks and the pattern, count a number of times that each of a plurality of positions in the pattern is determined to be a point of divergence, and determine a position with a highest count of a number of times that the position is determined to be a point of divergence. The processor may further receive an incoming data block, compare a data value at the position in the pattern with the highest count to a data value at a corresponding position in the incoming data block, and determine a mismatch when the data value at the position in the pattern and the data value at the corresponding position in the incoming data block are different.