Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Anomalous events may be classified based on the monitored network traffic and attack models such that the classification determines that targets of the anomalous events may be currently subject to attacks by entities communicating on the networks. A honeypot trap may be provided in the networks based on the classified events such that the honeypot trap mimics characteristics of the targets. The portions of the network traffic associated with the honeypot trap may be monitored. Characteristics of the attacks may be determined based on the monitored portions of network traffic. Reports that include information based on the characteristics of the attacks may be generated.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Anomalous events may be classified based on the monitored network traffic and attack models such that the classification determines that targets of the anomalous events may be currently subject to attacks by entities communicating on the networks. A honeypot trap may be provided in the networks based on the classified events such that the honeypot trap mimics characteristics of the targets. The portions of the network traffic associated with the honeypot trap may be monitored. Characteristics of the attacks may be determined based on the monitored portions of network traffic. Reports that include information based on the characteristics of the attacks may be generated.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Anomalous events may be classified based on the monitored network traffic and attack models such that the classification determines that targets of the anomalous events may be currently subject to attacks by entities communicating on the networks. A honeypot trap may be provided in the networks based on the classified events such that the honeypot trap mimics characteristics of the targets. The portions of the network traffic associated with the honeypot trap may be monitored. Characteristics of the attacks may be determined based on the monitored portions of network traffic. Reports that include information based on the characteristics of the attacks may be generated.

Abstract: Embodiments are directed to monitoring network traffic using a monitoring engine that monitors network traffic in networks to provide metrics. An inference engine may provide activity profiles based on portions of the network traffic where each activity profile includes features associated with the portions of network traffic. The inference engine may determine other activity profiles correlated with the activity profiles based on correlation models such that the determination of the other activity profiles occurs prior to monitoring an occurrence of other portions of the network traffic. The inference engine may modify monitoring actions of the monitoring engine based on the other activity profiles. The inference engine may provide reports based on the portions of the network traffic, the activity profiles, the other portions of the network traffic, or the other activity profiles.

Abstract: Embodiments are directed to monitoring network traffic. A monitoring engine may monitor network traffic associated with a plurality of entities in networks to provide metrics. And provide a device relation model based on the plurality of entities, the network traffic, and the metrics. An inference engine may associate each entity in the plurality of entities with an importance score based on the device relation model and the metrics such that each importance score is associated with a significance of an entity to operations of the networks. An alert engine may generate a plurality of alerts associated with the plurality of entities based on the metrics. And provide one or more alerts from the plurality of alerts to one or more users based on one or more ranked importance scores associated with one or more entities.

Abstract: Embodiments are directed to monitoring network traffic using a monitoring engine that monitors network traffic in networks to provide metrics. An inference engine may provide activity profiles based on portions of the network traffic where each activity profile includes features associated with the portions of network traffic. The inference engine may determine other activity profiles correlated with the activity profiles based on correlation models such that the determination of the other activity profiles occurs prior to monitoring an occurrence of other portions of the network traffic. The inference engine may modify monitoring actions of the monitoring engine based on the other activity profiles. The inference engine may provide reports based on the portions of the network traffic, the activity profiles, the other portions of the network traffic, or the other activity profiles.

Abstract: Embodiments are directed to monitoring network traffic using NMCs that may be arranged to provide scores based on threat assessments associated with anomaly classes such that the anomaly classes may be associated with types of anomalous activity. NMCs may employ the anomaly classes, the scores, characteristics of the anomaly classes, or the like, to determine triage models. The NMCs may modify the scores based on the triage models or archival information associated with the anomaly classes. The NMCs may associate the modified scores with the anomaly classes. In response to detecting anomalous activity, the NMCs may provide other scores based on the anomalous activity and provide a report that includes the other scores to a user.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Anomalous events may be classified based on the monitored network traffic and attack models such that the classification determines that targets of the anomalous events may be currently subject to attacks by entities communicating on the networks. A honeypot trap may be provided in the networks based on the classified events such that the honeypot trap mimics characteristics of the targets. The portions of the network traffic associated with the honeypot trap may be monitored. Characteristics of the attacks may be determined based on the monitored portions of network traffic. Reports that include information based on the characteristics of the attacks may be generated.

Abstract: Embodiments are directed to monitoring network traffic. A monitoring engine may monitor network traffic associated with a plurality of entities in networks to provide metrics. And provide a device relation model based on the plurality of entities, the network traffic, and the metrics. An inference engine may associate each entity in the plurality of entities with an importance score based on the device relation model and the metrics such that each importance score is associated with a significance of an entity to operations of the networks. An alert engine may generate a plurality of alerts associated with the plurality of entities based on the metrics. And provide one or more alerts from the plurality of alerts to one or more users based on one or more ranked importance scores associated with one or more entities.

Abstract: Embodiments are directed to monitoring network traffic using NMCs that may be arranged to provide scores based on threat assessments associated with anomaly classes such that the anomaly classes may be associated with types of anomalous activity. NMCs may employ the anomaly classes, the scores, characteristics of the anomaly classes, or the like, to determine triage models. The NMCs may modify the scores based on the triage models or archival information associated with the anomaly classes. The NMCs may associate the modified scores with the anomaly classes. In response to detecting anomalous activity, the NMCs may provide other scores based on the anomalous activity and provide a report that includes the other scores to a user.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Anomalous events may be classified based on the monitored network traffic and attack models such that the classification determines that targets of the anomalous events may be currently subject to attacks by entities communicating on the networks. A honeypot trap may be provided in the networks based on the classified events such that the honeypot trap mimics characteristics of the targets. The portions of the network traffic associated with the honeypot trap may be monitored. Characteristics of the attacks may be determined based on the monitored portions of network traffic. Reports that include information based on the characteristics of the attacks may be generated.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Anomalous events may be classified based on the monitored network traffic and attack models such that the classification determines that targets of the anomalous events may be currently subject to attacks by entities communicating on the networks. A honeypot trap may be provided in the networks based on the classified events such that the honeypot trap mimics characteristics of the targets. The portions of the network traffic associated with the honeypot trap may be monitored. Characteristics of the attacks may be determined based on the monitored portions of network traffic. Reports that include information based on the characteristics of the attacks may be generated.

Abstract: Embodiments are directed to monitoring network traffic using a monitoring engine that monitors network traffic in networks to provide metrics. An inference engine may provide activity profiles based on portions of the network traffic where each activity profile includes features associated with the portions of network traffic. The inference engine may determine other activity profiles correlated with the activity profiles based on correlation models such that the determination of the other activity profiles occurs prior to monitoring an occurrence of other portions of the network traffic. The inference engine may modify monitoring actions of the monitoring engine based on the other activity profiles. The inference engine may provide reports based on the portions of the network traffic, the activity profiles, the other portions of the network traffic, or the other activity profiles.

Abstract: Embodiments are directed to monitoring network traffic. A monitoring engine may monitor network traffic associated with a plurality of entities in networks to provide metrics. And provide a device relation model based on the plurality of entities, the network traffic, and the metrics. An inference engine may associate each entity in the plurality of entities with an importance score based on the device relation model and the metrics such that each importance score is associated with a significance of an entity to operations of the networks. An alert engine may generate a plurality of alerts associated with the plurality of entities based on the metrics. And provide one or more alerts from the plurality of alerts to one or more users based on one or more ranked importance scores associated with one or more entities.

Abstract: Embodiments are directed to monitoring network traffic using NMCs that may be arranged to provide scores based on threat assessments associated with anomaly classes such that the anomaly classes may be associated with types of anomalous activity. NMCs may employ the anomaly classes, the scores, characteristics of the anomaly classes, or the like, to determine triage models. The NMCs may modify the scores based on the triage models or archival information associated with the anomaly classes. The NMCs may associate the modified scores with the anomaly classes. In response to detecting anomalous activity, the NMCs may provide other scores based on the anomalous activity and provide a report that includes the other scores to a user.

Abstract: Embodiments are directed to monitoring network traffic using network computers. A monitoring engine may monitor network traffic associated with a plurality of entities in a network to provide metrics. A device relation model may be provided based on the plurality of entities, the network traffic, and the metrics. Interest information for a user may be provided based on one or more properties associated with the user. An inference engine may associate each entity in the plurality of entities with an interest score based on the interest information, the device relation model, and the metrics. An alert engine may generate a plurality of alerts associated with the plurality of entities based on the metrics. Some of the alerts may be provided to the user based on ranked interest scores associated with the entities.

Abstract: Embodiments are directed to monitoring network traffic using network computers. Monitoring triggers associated with one or more conditions and one or more actions may be provided. A monitoring engine may monitor information that is associated with network traffic associated with networks based on an inspection detail level. The monitoring engine may compare the monitored information to the conditions associated with the monitoring triggers. The monitoring engine may activate one or more monitoring triggers based on a result of the comparison. The monitoring engine may modify the inspection detail level based on the actions associated with the activated monitoring triggers to increase the amount of the information monitored by the monitoring engine. An analysis engine may provide analysis of the network traffic based on the monitored information.

Abstract: Embodiments are directed to monitoring network traffic using a monitoring engine that monitors network traffic in networks to provide metrics. An inference engine may provide activity profiles based on portions of the network traffic where each activity profile includes features associated with the portions of network traffic. The inference engine may determine other activity profiles correlated with the activity profiles based on correlation models such that the determination of the other activity profiles occurs prior to monitoring an occurrence of other portions of the network traffic. The inference engine may modify monitoring actions of the monitoring engine based on the other activity profiles. The inference engine may provide reports based on the portions of the network traffic, the activity profiles, the other portions of the network traffic, or the other activity profiles.

Abstract: Embodiments are directed to monitoring network traffic. A monitoring engine may monitor network traffic associated with a plurality of entities in networks to provide metrics. And provide a device relation model based on the plurality of entities, the network traffic, and the metrics. An inference engine may associate each entity in the plurality of entities with an importance score based on the device relation model and the metrics such that each importance score is associated with a significance of an entity to operations of the networks. An alert engine may generate a plurality of alerts associated with the plurality of entities based on the metrics. And provide one or more alerts from the plurality of alerts to one or more users based on one or more ranked importance scores associated with one or more entities.

Abstract: Embodiments are directed to monitoring network traffic using a monitoring engine that monitors network traffic in networks to provide metrics. An inference engine may provide activity profiles based on portions of the network traffic where each activity profile includes features associated with the portions of network traffic. The inference engine may determine other activity profiles correlated with the activity profiles based on correlation models such that the determination of the other activity profiles occurs prior to monitoring an occurrence of other portions of the network traffic. The inference engine may modify monitoring actions of the monitoring engine based on the other activity profiles. The inference engine may provide reports based on the portions of the network traffic, the activity profiles, the other portions of the network traffic, or the other activity profiles.