Abstract: Systems and methods are provided for managing false positives in a network anomaly detection system. The methods may include receiving a plurality of anomaly reports; extracting fields, and values for the fields, from each of the anomaly reports; grouping the anomaly reports into a plurality of groups according to association rule learning, wherein each group is defined by a respective rule; for each group, creating a cluster based on common values for the fields; and marking each cluster as a possible false positive anomaly cluster.

Abstract: A computerized method involves obfuscating one or more segments of data that is part of a flow prior to analysis of the flow for malware. Each of the one or more obfuscated data corresponds to one or more anonymized data. Thereafter, an identifier is generated for each of the one or more anonymized data, and each identifier is substituted for its corresponding anonymized data. The anonymized data and its corresponding identifiers are separately maintained from the stored flow.

Abstract: Systems and methods are provided for managing false positives in a network anomaly detection system. The methods may include receiving a plurality of anomaly reports; extracting fields, and values for the fields, from each of the anomaly reports; grouping the anomaly reports into a plurality of groups according to association rule learning, wherein each group is defined by a respective rule; for each group, creating a cluster based on common values for the fields; and marking each cluster as a possible false positive anomaly cluster.

Abstract: A computerized method involves obfuscating one or more segments of data that is part of a flow prior to analysis of the flow for malware. Each of the one or more obfuscated data corresponds to one or more anonymized data. Thereafter, an identifier is generated for each of the one or more anonymized data, and each identifier is substituted for its corresponding anonymized data. The anonymized data and its corresponding identifiers are separately maintained from the stored flow.

Abstract: An integrated network security enforcement system is provided. Information from a network access control (NAC) device, network analytics engine (NAE) executing on a network analytics server (NAS), and a network controller are used to control network access of a client device and associated user. A login session for the user may be monitored by the NAE. Events based on risk analysis of user-initiated actions are sent to the NAC device and/or the network controller. Events may indicate to take action with respect to the client device (or user). For example, user-initiated actions that cumulatively appear as a security threat on a device (and possibly other devices) may be isolated or forced to re-authenticate. Risk assessment may be reduced if higher levels of authentication are performed by the user. Two-factor, or biometric authentication may allow greater risk (e.g., reduced risk assessment) than a login session using a single password.

Abstract: A computerized method involves obfuscating one or more segments of data that is part of a flow prior to analysis of the flow for malware. Each of the one or more obfuscated data corresponds to one or more anonymized data. Thereafter, an identifier is generated for each of the one or more anonymized data, and each identifier is substituted for its corresponding anonymized data. The anonymized data and its corresponding identifiers are separately maintained from the stored flow.

Abstract: A network sensor that features a data store and a packet processing engine. In communication with the data store, the packet processing engine comprises (1) a cache management logic and (2) deduplication logic. The cache management logic is configured to analyze packets to determine whether (a) a packet under analysis include duplicated data and (b) content of the packet is targeted for storage in a same continuous logical storage area as the duplicated data. The deduplication logic, when activated by the cache management logic, is configured to generate a deduplication reference for insertion into the packet prior to storage.

Abstract: Methods and systems for attributing monitored network activity to a user are provided. In one aspect, a method includes receiving profile data associated with a user and monitored network activity data. The method includes attributing at least one network activity associated with at least one client device to the user. The method also includes generating a timeline comprising an event at a particular time point on the timeline corresponding to the at least one network activity associated with the at least one client device that is attributed to the user; updating the timeline to include subsequent network activities of the monitored network activity data that are attributed to the user; and monitoring the timeline to detect at least one security anomaly based on the updated timeline.

Abstract: A network sensor that features a data store and a packet processing engine. Communicatively coupled to the data store, the packet processing engine is configured to (i) generate a retention priority for at least a first flow within a first storage region of a plurality of storage regions and (ii) identify, in response to an eviction request, the priority of each of the plurality of storage regions. The priority of the first storage region is partially based on the retention priority associated with the first flow while the priority of a second storage region is based on retention priorities associated with flows stored within the second storage region. The packet processing engine also is configured to identify, through use of the retention priorities of the stored flows within the first storage region, which flows are to be retained and which flows are to be evicted.

Abstract: The present disclosure discloses a method and network device for control plane protection for various tables using storm prevention entries. Specifically, the disclosed system receives a first packet, and creates an inactive entry in a table. The system then forwards the first packet from a first processor to a second processor for processing. Also, the system associates the inactive entry with a timestamp indicating when the first packet is forwarded to the second processor, and determines a configured interval (CI) associated with the table. Further, the system compares a difference between a current timestamp and the timestamp associated with the inactive entry against the CI upon receiving a second packet. If the difference is longer than the CI, the system associates the inactive entry with the current timestamp, and forwards the second packet to the second processor for processing. Otherwise, the system discards the second packet.

Abstract: The present disclosure discloses a method and network device for a rate limiting mechanism based on device load/capacity or traffic content. Specifically, the system receives a request from a network node, and determines whether a ratio between a current load and a capacity exceeds a threshold. If so, the system determines a wait time period based on current load/capacity ratio, and responds to the network node with a message including the wait time period. Moreover, the system can inspect content of the request to determine a message type, and whether the message type indicates that the request is associated with dependent messages. If so, the system responds to the request with a busy message including the wait time period. Further, the system rejects new session requests if the number of concurrent sessions currently connected to the network device approaches the number of sessions associated with a regression point.

Abstract: A network device includes a communication interface and a processor. The communication interface may receive a multicast stream that includes a frame. The processor is coupled to the communication interface and may determine whether to send the frame unicast or multicast. The communication interface transmits the frame unicast or multicast based on the determination by the processor. The determination by the processor may be based on characteristics of the frame. If the characteristics of the frame include characteristics of a key frame such as an I-frame, the processor may determine to transmit the frame unicast. The determination may also be based on a predetermined state of client devices that are to receive the frame. If a client device is in a predetermined state such as a power save state, the processor may determine to transmit the frame unicast to that client device. Other embodiments are also described.

Abstract: A computerized method involves obfuscating one or more segments of data that is part of a flow prior to analysis of the flow for malware. Each of the one or more obfuscated data corresponds to one or more anonymized data. Thereafter, an identifier is generated for each of the one or more anonymized data, and each identifier is substituted for its corresponding anonymized data. The anonymized data and its corresponding identifiers are separately maintained from the stored flow.

Abstract: A network device to provide per-user firewall capabilities. The network device identifies a user associated with a received frame and a role of the user. The network device determines the firewall actions to be taken for the frame based on the role of the associated user. The user role may be dynamically changed by an administrator or automatically. A user role may be altered based on the authentication level of the user. The network device provides a system where a customized authentication experience may be provided for each user and services and permissions may be managed on a per-user basis.

Abstract: A network sensor that features a data store and a packet processing engine. Communicatively coupled to the data store, the packet processing engine is configured to (i) generate a retention priority for at least a first flow within a first storage region of a plurality of storage regions and (ii) identify, in response to an eviction request, the priority of each of the plurality of storage regions. The priority of the first storage region is partially based on the retention priority associated with the first flow while the priority of a second storage region is based on retention priorities associated with flows stored within the second storage region. The packet processing engine also is configured to identify, through use of the retention priorities of the stored flows within the first storage region, which flows are to be retained and which flows are to be evicted.

Abstract: A network sensor that features a data store and a packet processing engine. In communication with the data store, the packet processing engine comprises (1) a cache management logic and (2) deduplication logic. The cache management logic is configured to analyze packets to determine whether (a) a packet under analysis include duplicated data and (b) content of the packet is targeted for storage in a same continuous logical storage area as the duplicated data. The deduplication logic, when activated by the cache management logic, is configured to generate a deduplication reference for insertion into the packet prior to storage.

Abstract: The present disclosure discloses a method and network device for maintaining captive portal user authentication. Specifically, the disclosed system determines an association status between a client and an access point in a wireless network, as well as whether to remove an entry corresponding to the client from a network layer (L3) cache based on the association status. If it is determined that the entry is to be removed, the disclosed system removes the entry corresponding to the client from the network layer (L3) cache. Note that, the association status can be determined based on one or more of an indication by a station management process at the network device, and a detection of radio link activities.

Abstract: The present disclosure discloses a method and network device for an enhanced serialization mechanism. Specifically, the disclosed system receives a plurality of packets from a plurality of transport layer flows corresponding to a security association. Also, the system designates one processor of a plurality of processors to be associated with the security association. Moreover, the system assigns a sequence number to each packet, and transmits the plurality of packets from the plurality of transport layer flows such that packets within the same transport layer flow are transmitted in order of their sequence numbers. However, at least two packets from two different transport layer flows may be transmitted out of incremental order of their sequence number.

Abstract: The present disclosure discloses a method and network device for achieving enhanced performance with multiple CPU cores in a network device having a symmetric multiprocessing architecture. The disclosed method allows for storing, by each central processing unit (CPU) core, a non-atomic data structure, which is specific to each networking CPU core, in a memory shared by the plurality of CPU cores. Also, the memory is not associated with any locking mechanism. In response to a data packet is received by a particular CPU core, the disclosed system will update a value of the non-atomic data structure corresponding to the particular CPU core. The data structure may be a counter or a fragment table. Further, a dedicated CPU core is allocated to process only data packets received from other CPU cores, and is responsible for dynamically responding to queries receives from a control plane process.

Abstract: Assigning clients to VLANs on a digital network. A client attaching to a digital network through a network device is initially assigned to a first VLAN. This VLAN may have restricted access and is used for authentication. The device snoops DHCP traffic on this first VLAN rewriting DHCP traffic from the client to request a short lease time for the client. A short lease time may be on the order of 30 seconds. The device optionally rewrites DHCP traffic to the client on the first VLAN to assure a short lease time is returned; this rewriting supports DHCP servers which do not issue short leases. Traffic on this first VLAN may be limited to authentication such as captive portals, 802.1x, Kerberos, and the like. If client authentication on the first VLAN does not succeed, when the short lease expires, the client will receive another short lease on the first VLAN. The network device snoops authentication traffic.