Abstract: A system for labelling and classification of encrypted network traffic is disclosed. The system employs a Labeler, having a semi-supervised machine learning module for semi-automated labeling of encrypted network traffic, with an initial involvement of a human-in-the-loop intelligence for rapid training of the Labeler. The Labeler produces a labeled training set of encrypted network traffic flows. The system further includes a Modeler having a genetic algorithm module, for automatically selecting a list of network traffic features for further use in real-time classification of the encrypted network traffic, and outputting a corresponding classification model. The system further includes a Classifier for real-time classification of the encrypted network traffic using the classification model. Corresponding methods for labeling and classifying the encrypted network traffic are also provided.

Abstract: A system for labelling and classification of encrypted network traffic is disclosed. The system employs a Labeler, having a semi-supervised machine learning module for semi-automated labeling of encrypted network traffic, with an initial involvement of a human-in-the-loop intelligence for rapid training of the Labeler. The Labeler produces a labeled training set of encrypted network traffic flows. The system further includes a Modeler having a genetic algorithm module, for automatically selecting a list of network traffic features for further use in real-time classification of the encrypted network traffic, and outputting a corresponding classification model. The system further includes a Classifier for real-time classification of the encrypted network traffic using the classification model. Corresponding methods for labeling and classifying the encrypted network traffic are also provided.

Abstract: Systems and methods for discovery and mapping of industrial control and SCADA networks are described herein. The disclosed systems and methods help operators ensure the cyber security of their SCADA network through accurate discovery, fingerprinting and mapping the industrial control network map, including PLCs (Programmable Logic Controller) and RTUs (Remote Terminal Unit), using passive techniques.

Abstract: Systems and methods for discovery and mapping of industrial control and SCADA networks are described herein. The disclosed systems and methods help operators ensure the cyber security of their SCADA network through accurate discovery, fingerprinting and mapping the industrial control network map, including PLCs (Programmable Logic Controller) and RTUs (Remote Terminal Unit), using passive techniques.

Abstract: Disclosed is a method 101 to be used on collected network data flow 116 associated with a network 100; the method 101 includes: an anomaly-detection operation 103 including: (A) obtaining the collected network data flow 116; and (B) performing an iterative principal component analysis on the collected network data flow 116 to detect an anomaly associated with the collected network data flow 116. The method may be used in a server and a network, and may also be implemented as a non-transitory computer-readable media. A corresponding system for detecting the anomaly in the network flow data is also provided.

Abstract: Disclosed is a method 101 to be used on collected network data flow 116 associated with a network 100; the method 101 includes: an anomaly-detection operation 103 including: (A) obtaining the collected network data flow 116; and (B) performing an iterative principal component analysis on the collected network data flow 116 to detect an anomaly associated with the collected network data flow 116. The method may be used in a server and a network, and may also be implemented as a non-transitory computer-readable media. A corresponding system for detecting the anomaly in the network flow data is also provided.

Abstract: Network traffic flow records received from a network probe are recorded in multiple sets of buckets of different granularity, optimized for the purpose of almost instant analysis and display as well as for longer term report generation. The flow data is pre-processed and stored redundantly in parallel in multiple bucketized data base tables of different time window sizes. Denormalized tables keyed on different combinations of traffic flow attributes are precomputed and stored in parallel tables redundantly to facilitate a near real time display of summarized network traffic data, and a capability to rapidly generate reports for different monitoring periods.

Abstract: Network traffic flow records received from a network probe are filtered and short traffic flows are selected so that the total number of short traffic flows is high but the number of bytes in the short traffic flows is negligible, followed by discarding of the short traffic flows. Traffic flow data is recorded in multiple sets of buckets of different granularity, optimized for the purpose of almost instant analysis and display as well as for longer term report generation. The traffic flow data is pre-processed and stored redundantly in parallel in multiple bucketized data base tables of different time window sizes. A corresponding method and system are provided.

Abstract: Network traffic flow records received from a network probe are filtered and short traffic flows are selected so that the total number of short traffic flows is high but the number of bytes in the short traffic flows is negligible, followed by discarding of the short traffic flows. Traffic flow data is recorded in multiple sets of buckets of different granularity, optimized for the purpose of almost instant analysis and display as well as for longer term report generation. The traffic flow data is pre-processed and stored redundantly in parallel in multiple bucketized data base tables of different time window sizes. A corresponding method and system are provided.

Abstract: Network traffic flow records received from a network probe are recorded in multiple sets of buckets of different granularity, optimized for the purpose of almost instant analysis and display as well as for longer term report generation. The flow data is pre-processed and stored redundantly in parallel in multiple bucketized data base tables of different time window sizes. Denormalized tables keyed on different combinations of traffic flow attributes are precomputed and stored in parallel tables redundantly to facilitate a near real time display of summarized network traffic data, and a capability to rapidly generate reports for different monitoring periods.

Abstract: Devices, networks and methods relating to routing gateway traffic in a mesh network for wireless access. A mesh network has multiple nodes in at least one gateway node through which all incoming and outgoing data traffic pass through. The nodes provide wireless access to wireless and user devices, each of which is associated with anode in the mesh network. Each gateway node contains a record detailing which nodes are providing wireless access to which wireless end user device and which nodes are associated with which end user devices. This record of each end user device's location is periodically updated as the gateway node periodically receives data from the nodes which detail the device is being serviced by which node. Any incoming data traffic destined for an end user device is encapsulated and routed to the proper node servicing that end user device.

Abstract: A real-time network-analysis system comprises a network appliance and a plurality of management devices. The network appliance continuously monitors an object network and synthesizes a current network image comprising contemporaneous indicators of connectivity, occupancy, and performance of the object network. A management-client device may gain access to the network image for timely control and for use in producing long-term network-evolution plans. To enable the creation of a real-time network image, optimized topology synthesis algorithms are devised to minimize the computational effort. The real-time network-analysis system is adapted for use with an object network employing a variety of routing protocols, such as link-state protocols, and network-management protocols, such as the Simple-Network-Management protocol.

Abstract: Devices, networks and methods relating to routing gateway traffic in a mesh network for wireless access. A mesh network has multiple nodes in at least one gateway node through which all incoming and outgoing data traffic pass through. The nodes provide wireless access to wireless and user devices, each of which is associated with anode in the mesh network. Each gateway node contains a record detailing which nodes are providing wireless access to which wireless end user device and which nodes are associated with which end user devices. This record of each end user device's location is periodically updated as the gateway node periodically receives data from the nodes which detail the device is being serviced by which node. Any incoming data traffic destined for an end user device is encapsulated and routed to the proper node servicing that end user device.

Abstract: Devices, networks and methods relating to routing gateway traffic in a mesh network for wireless access. A mesh network has multiple nodes in at least one gateway node through which all incoming and outgoing data traffic pass through. The nodes provide wireless access to wireless and user devices, each of which is associated with a node in the mesh network. Each gateway node contains a record detailing which nodes are providing wireless access to which wireless end user device and which nodes are associated with which end user devices. This record of each end user device's location is periodically updated as the gateway node periodically receives data from the nodes which detail the device is being serviced by which node. Any incoming data traffic destined for an end user device is encapsulated and routed to the proper node servicing that end user device.

Abstract: Methods and apparatus for topology discovery of a network having heterogeneous network devices are disclosed. A network appliance communicates with the network devices to acquire device descriptors and characterize the network devices accordingly. Topology discovery is based on device characteristics, media-access data, and encoded connectivity patterns, where each connectivity pattern is defined by devices of specific device types and respective media-access data. A topology deduction module of the network appliance synthesizes a network image starting with unconnected devices and progressively incorporating detected connectivity patterns.

Abstract: A real-time network-analysis system comprises a network appliance and a plurality of management devices. The network appliance continuously monitors an object network and synthesizes a current network image comprising contemporaneous indicators of connectivity, occupancy, and performance of the object network. A management-client device may gain access to the network image for timely control and for use in producing long-term network-evolution plans. To enable the creation of a real-time network image, optimized topology synthesis algorithms are devised to minimize the computational effort. The real-time network-analysis system is adapted for use with an object network employing a variety of routing protocols, such as link-state protocols, and network-management protocols, such as the Simple-Network-Management protocol.

Abstract: Methods and apparatus for topology discovery of a network having heterogeneous network devices are disclosed. A network appliance communicates with the network devices to acquire device descriptors and characterize the network devices accordingly. Topology discovery is based on device characteristics, media-access data, and encoded connectivity patterns, where each connectivity pattern is defined by devices of specific device types and respective media-access data. A topology deduction module of the network appliance synthesizes a network image starting with unconnected devices and progressively incorporating detected connectivity patterns.

Abstract: A real-time network-analysis system comprises a network appliance and a plurality of management devices. The network appliance continuously monitors an object network and synthesizes a current network image comprising contemporaneous indicators of connectivity, occupancy, and performance of the object network. A management-client device may gain access to the network image for timely control and for use in producing long-term network-evolution plans. To enable the creation of a real-time network image, optimized topology synthesis algorithms are devised to minimize the computational effort. The real-time network-analysis system is adapted for use with an object network employing a variety of routing protocols, such as link-state protocols, and network-management protocols, such as the Simple-Network-Management protocol.

Abstract: Devices, networks and methods relating to routing gateway traffic in a mesh network for wireless access. A mesh network has multiple nodes in at least one gateway node through which all incoming and outgoing data traffic pass through. The nodes provide wireless access to wireless and user devices, each of which is associated with a node in the mesh network. Each gateway node contains a record detailing which nodes are providing wireless access to which wireless end user device and which nodes are associated with which end user devices. This record of each end user device's location is periodically updated as the gateway node periodically receives data from the nodes which detail the device is being serviced by which node. Any incoming data traffic destined for an end user device is encapsulated and routed to the proper node servicing that end user device.

Abstract: An alert system for a communications network has a plurality of client devices and a plurality of alert servers each adapted to provide alerts to a respective subset of the client devices to provide scalability. Users at the client devices subscribe to receive alerts by selecting a scope of distribution of alerts. The selection involves selecting a type of alert to receive, a level of severity of alerts to receive, and a geographic scope. In response to receiving a request to issue an alert, an alert server notifies the other alert servers of the alert. Each alert server determines which client devices of the respective subset of client devices are to receive the alert. Each alert server then sends an alert message to its client devices that are to receive the alert.