Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Two or more network segments coupled by a traffic forwarding device (TFD) may be monitored. External network addresses and internal network addresses may be determined based on encrypted network traffic exchanged between external endpoints and the TFD and internal network traffic exchanged between internal endpoints and the TFD. Metrics associated with the external network addresses or the internal network addresses may be determined based on the monitoring. Correlation scores may be provided for the external network addresses and the internal network addresses based on of a correlation model, the metrics, or the other metrics. If a correlation score associated with an external network address and an internal network address exceeds a threshold value, the external network address and the internal network address may be associated with each other based on the correlation score.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Networks may be configured to protect servers using centralized security protocols. Centralized security protocols may depend on centralized control provided by authentication control servers. If a client intends to access protected servers it may communicate with the authentication control server to obtain keys that enable it to access the requested servers. NMCs may monitor network traffic the centralized security protocol to collect metrics associated with the control servers, clients, or resource servers.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Metrics may be determined based on monitoring network traffic associated with a plurality of entities each associated with a profile that includes the metrics for each entity. Beaconing metrics associated with beaconing activity may be determined based on the metrics. The profile of each entity may be compared with the beaconing metrics to determine the entities that may be engaged in beaconing activity. The entities may be characterized based on beaconing activity such that the beaconing activity includes communication with endpoints associated with the third parties, employing communication protocols associated with the third-parties, or exchanging payloads consistent with the beaconing activity. Reports that include information associated with the entities and its beaconing activity may be generated.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Two or more network segments coupled by a traffic forwarding device (TFD) may be monitored. External network addresses and internal network addresses may be determined based on encrypted network traffic exchanged between external endpoints and the TFD and internal network traffic exchanged between internal endpoints and the TFD. Metrics associated with the external network addresses or the internal network addresses may be determined based on the monitoring. Correlation scores may be provided for the external network addresses and the internal network addresses based on of a correlation model, the metrics, or the other metrics. If a correlation score associated with an external network address and an internal network address exceeds a threshold value, the external network address and the internal network address may be associated with each other based on the correlation score.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Networks may be configured to protect servers using centralized security protocols. Centralized security protocols may depend on centralized control provided by authentication control servers. If a client intends to access protected servers it may communicate with the authentication control server to obtain keys that enable it to access the requested servers. NMCs may monitor network traffic the centralized security protocol to collect metrics associated with the control servers, clients, or resource servers.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Two or more network segments coupled by bridge devices may be monitored by NMCs. The bridge devices may modify network traffic passed from one network segment to another network segment. Flows in network segments may be determined based on monitored network traffic associated with the network segments. Other flows in other network segments may be determined based on other monitored network traffic associated with the other network segments. A correlation score for two or more flows in different network segments may be provided based on a correlation model. Two or more related flows may be determined based on a value of the correlation score of the two or more related flows located in different network segments. A report that includes information about the two or more related flows may be provided.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Networks may be configured to protect servers using centralized security protocols. Centralized security protocols may depend on centralized control provided by authentication control servers. If a client intends to access protected servers it may communicate with the authentication control server to obtain keys that enable it to access the requested servers. NMCs may monitor network traffic the centralized security protocol to collect metrics associated with the control servers, clients, or resource servers.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Networks may be configured to protect servers using centralized security protocols. Centralized security protocols may depend on centralized control provided by authentication control servers. If a client intends to access protected servers it may communicate with the authentication control server to obtain keys that enable it to access the requested servers. NMCs may monitor network traffic the centralized security protocol to collect metrics associated with the control servers, clients, or resource servers.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Two or more network segments coupled by a traffic forwarding device (TFD) may be monitored. External network addresses and internal network addresses may be determined based on encrypted network traffic exchanged between external endpoints and the TFD and internal network traffic exchanged between internal endpoints and the TFD. Metrics associated with the external network addresses or the internal network addresses may be determined based on the monitoring. Correlation scores may be provided for the external network addresses and the internal network addresses based on of a correlation model, the metrics, or the other metrics. If a correlation score associated with an external network address and an internal network address exceeds a threshold value, the external network address and the internal network address may be associated with each other based on the correlation score.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Metrics may be determined based on monitoring network traffic associated with a plurality of entities each associated with a profile that includes the metrics for each entity. Beaconing metrics associated with beaconing activity may be determined based on the metrics. The profile of each entity may be compared with the beaconing metrics to determine the entities that may be engaged in beaconing activity. The entities may be characterized based on beaconing activity such that the beaconing activity includes communication with endpoints associated with the third parties, employing communication protocols associated with the third-parties, or exchanging payloads consistent with the beaconing activity. Reports that include information associated with the entities and its beaconing activity may be generated.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Networks may be configured to protect servers using centralized security protocols. Centralized security protocols may depend on centralized control provided by authentication control servers. If a client intends to access protected servers it may communicate with the authentication control server to obtain keys that enable it to access the requested servers. NMCs may monitor network traffic the centralized security protocol to collect metrics associated with the control servers, clients, or resource servers.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Networks may be configured to protect servers using centralized security protocols. Centralized security protocols may depend on centralized control provided by authentication control servers. If a client intends to access protected servers it may communicate with the authentication control server to obtain keys that enable it to access the requested servers. NMCs may monitor network traffic the centralized security protocol to collect metrics associated with the control servers, clients, or resource servers.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Two or more network segments coupled by a traffic forwarding device (TFD) may be monitored. External network addresses and internal network addresses may be determined based on encrypted network traffic exchanged between external endpoints and the TFD and internal network traffic exchanged between internal endpoints and the TFD. Metrics associated with the external network addresses or the internal network addresses may be determined based on the monitoring. Correlation scores may be provided for the external network addresses and the internal network addresses based on of a correlation model, the metrics, or the other metrics. If a correlation score associated with an external network address and an internal network address exceeds a threshold value, the external network address and the internal network address may be associated with each other based on the correlation score.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Two or more network segments coupled by bridge devices may be monitored by NMCs. The bridge devices may modify network traffic passed from one network segment to another network segment. Flows in network segments may be determined based on monitored network traffic associated with the network segments. Other flows in other network segments may be determined based on other monitored network traffic associated with the other network segments. A correlation score for two or more flows in different network segments may be provided based on a correlation model. Two or more related flows may be determined based on a value of the correlation score of the two or more related flows located in different network segments. A report that includes information about the two or more related flows may be provided.

Abstract: Embodiments are directed to a relay that receives packets from a source gateway associated with a source gateway identifier (GID) and a target GID associated with a target gateway where each GID is separate from a network address or a hostname of the source gateway or the target gateway. The relay determines a connection route based on an association between the connection route and an ingress identifier obtained from the packets. The relay provides the connection route based on the source GID and the target GID. The relay determines network address information associated with the target gateway based on the connection route. And, the relay forwards the packets provided by the source gateway to the target gateway based on the network address information.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Two or more network segments coupled by bridge devices may be monitored by NMCs. The bridge devices may modify network traffic passed from one network segment to another network segment. Flows in network segments may be determined based on monitored network traffic associated with the network segments. Other flows in other network segments may be determined based on other monitored network traffic associated with the other network segments. A correlation score for two or more flows in different network segments may be provided based on a correlation model. Two or more related flows may be determined based on a value of the correlation score of the two or more related flows located in different network segments. A report that includes information about the two or more related flows may be provided.

Abstract: Embodiments are directed to a relay that receives packets from a source gateway associated with a source gateway identifier (GID) and a target GID associated with a target gateway where each GID is separate from a network address or a hostname of the source gateway or the target gateway. The relay determines a connection route based on an association between the connection route and an ingress identifier obtained from the packets. The relay provides the connection route based on the source GID and the target GID. The relay determines network address information associated with the target gateway based on the connection route. And, the relay forwards the packets provided by the source gateway to the target gateway based on the network address information.

Abstract: Embodiments are directed to secure communication over a network. If a source node sends a communication to a target node, a source gateway may forward the communication to the target node. The source gateway may provide a gateway identifier (GID) that may be associated with one or more target gateways associated with the target node. Further, the source gateway may embed marker information that includes at least a portion of the GID in the communication. If the GID is associated with more than one target gateway, a TMD selects one target gateway from the more than one target gateways. Also, the TMD provides a gateway key associated with the selected target gateway that is associated with the communication. And, the TMD may provide the communication to the selected target gateway that provides the communication to the target node.

Abstract: Embodiments are directed to a relay that receives packets from a source gateway associated with a source gateway identifier (GID) and a target GID associated with a target gateway where each GID is separate from a network address or a hostname of the source gateway or the target gateway. The relay determines a connection route based on an association between the connection route and an ingress identifier obtained from the packets. The relay provides the connection route based on the source GID and the target GID. The relay determines network address information associated with the target gateway based on the connection route. And, the relay forwards the packets provided by the source gateway to the target gateway based on the network address information.

Abstract: Embodiments are directed to a relay that receives packets from a source gateway. associated with a source gateway identifier (GID) and a target GID associated with a target gateway where each GID is separate from a network address or a hostname of the source gateway or the target gateway. The relay determines a connection route based on an association between the connection route and an ingress identifier obtained from the packets The relay provides the connection route based on the source GID and the target GID. The relay determines network address information associated with the target gateway based on the connection route. And, the relay forwards the packets provided by the source gateway to the target gateway based on the network address information.