Abstract: Structured Data Discovery and Cryptographic Analysis. In an embodiment, transport sessions are assembled from raw packets captured in network traffic. Data is extracted from two or more encapsulation layers of each transport session. In particular, each encapsulation layer may be classified into a protocol, and data may be extracted from the encapsulation layer based on the protocol. For example, cryptographic metadata may be extracted from a cryptographic encapsulation layer. The extracted data is incorporated into a data model of the network, which comprises tallies of traffic within the network, grouped according to a plurality of dimensions. Analytic model(s) may be applied to the data model to, for example, generate a data web of the network that represents structured data stores and data flows to and/or from the data stores within the network.

Abstract: Ordering partial network traffic. In an embodiment, data packets are received from a network tap and separated into two queues. For each queue, a push-sequence is maintained to represent a sequence number that must be pushed in order to maintain a consecutive order. When both push-sequences are equal to the sequence number of their first packets, if the acknowledgement number of the first packet on one queue is greater than the push-sequence for the other queue and less than or equal to the push-sequence of the one queue, data is pushed off the other queue. Otherwise, a queue having the earlier timestamp is identified as a first queue, the existence of a next acknowledgement number is determined for the second (other) queue, and data is pushed off the first queue according to the existence of the next acknowledgement number. Gap packets may be generated to force progress.

Abstract: Systems, methods, and computer-readable media for detecting threats on a network. In an embodiment, target network traffic being transmitted between two or more hosts is captured. The target network traffic comprises a plurality of packets, which are assembled into one or more messages. The assembled message(s) may be parsed to generate a semantic model of the target network traffic. The semantic model may comprise representation(s) of operation(s) or event(s) represented by the message(s). Score(s) for the operation(s) or event(s) may be generated using a plurality of scoring algorithms, and potential threats among the operation(s) or event(s) may be identified using the score(s).

Abstract: Systems and methods for generating a semantic description of operations between network agents. In an embodiment, packet-level traffic between two or more network agents is captured. The packet-level traffic is bundled into one or more messages, wherein each message comprises one or more elements. For each of the messages, the elements of the message are matched to one or more attributes, and the message is decoded into message data based on the matched attributes. The message data is then used to generate a semantic description of operations between the network agents.

Abstract: Systems and methods for generating a semantic description of operations between network agents. In an embodiment, packet-level traffic between two or more network agents is captured. The packet-level traffic is bundled into one or more messages, wherein each message comprises one or more elements. For each of the messages, the elements of the message are matched to one or more attributes, and the message is decoded into message data based on the matched attributes. The message data is then used to generate a semantic description of operations between the network agents.

Abstract: Ordering partial network traffic. In an embodiment, data packets are received from a network tap and separated into two queues. For each queue, a push-sequence is maintained to represent a sequence number that must be pushed in order to maintain a consecutive order. When both push-sequences are equal to the sequence number of their first packets, if the acknowledgement number of the first packet on one queue is greater than the push-sequence for the other queue and less than or equal to the push-sequence of the one queue, data is pushed off the other queue. Otherwise, a queue having the earlier timestamp is identified as a first queue, the existence of a next acknowledgement number is determined for the second (other) queue, and data is pushed off the first queue according to the existence of the next acknowledgement number. Gap packets may be generated to force progress.

Abstract: Systems, methods, and computer-readable media for detecting threats on a network. In an embodiment, target network traffic being transmitted between two or more hosts is captured. The target network traffic comprises a plurality of packets, which are assembled into one or more messages. The assembled message(s) may be parsed to generate a semantic model of the target network traffic. The semantic model may comprise representation(s) of operation(s) or event(s) represented by the message(s). Score(s) for the operation(s) or event(s) may be generated using a plurality of scoring algorithms, and potential threats among the operation(s) or event(s) may be identified using the score(s).

Abstract: The response time from a client on a network is measured and a destination address is selected based on the measured response time. The client requests an address from the network. The network may be a local network or a wide area network such as the Internet. The response time of the client is measured to determine the optimum speed at which the client may operate. The measured response time is communicated to the server, where a destination address is selected based on the requested address and the measured response time. The client may then be connected to the destination address.

Abstract: A link lock system for a network includes a computer, a network interface device, a bus monitor, and a security switch. The network interface device provides the computer with access to the network. The bus monitor monitors a link between the network interface device and the computer. The bus monitor reports detected failures or intrusions. The security switch switches the link from a non-secured mode to a secured mode when a report of the detected failures or intrusions is received from the bus monitor.

Abstract: The response time from a client on a network is measured and a destination address is selected based on the measured response time. The client requests an address from the network. The network may be a local network or a wide area network such as the Internet. The response time of the client is measured to determine the optimum speed at which the client may operate. The measured response time is communicated to the server, where a destination address is selected based on the requested address and the measured response time. The client may then be connected to the destination address.

Abstract: The response time from a client on a network is measured and a destination address is selected based on the measured response time. The client requests an address from the network. The network may be a local network or a wide area network such as the Internet. The response time of the client is measured to determine the optimum speed at which the client may operate. The measured response time is communicated to the server, where a destination address is selected based on the requested address and the measured response time. The client may then be connected to the destination address.