Abstract: Embodiments are directed monitoring network traffic using network monitoring computers. Metrics may be determined based on monitoring network traffic associated with entities in the network such that the metrics may be included in profiles associated each entity. The profiles may be compared with other profiles in a context database based on the metrics included in each profile and each other profile. In response to the profiles being unmatched by other profiles one or more active probes may be performed to collect other metrics that may be used to update profiles. In response to the one or more profiles being matched by the other profiles in the context database, a timestamp associated with the other profiles may be updated to a current time value. Reports that include information associated with the entities and the profiles or the updated profiles may be generated.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). NMCs may determine requests provided to a server based on a first portion of network traffic. NMCs may determine suspicious requests based on characteristics of the provided requests. NMCs may employ the characteristics of the suspicious requests to provide correlation information that is associated with the suspicious requests. NMCs may determine dependent actions associated with the server based on a second portion of the network traffic and the correlation information. And, in response to determining anomalous activity associated with the evaluation of the dependent actions, NMCs may provide reports associated with the anomalous activity.

Abstract: Embodiments are directed to monitoring communication between computers using network monitoring computers (NMCs). NMCs identify a secure communication session established between two of the computers based on an exchange of handshake information associated with the secure communication session. Key information that corresponds to the secure communication session may be obtained from a key provider such that the key information may be encrypted by the key provider. NMCs may decrypt the key information. NMCs may derive the session key based on the decrypted key information and the handshake information. NMCs may decrypt network packets included in the secure communication session. NMCs may be employed to inspect the one or more decrypted network packets to execute one or more rule-based policies.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Two or more network segments coupled by a traffic forwarding device (TFD) may be monitored. External network addresses and internal network addresses may be determined based on encrypted network traffic exchanged between external endpoints and the TFD and internal network traffic exchanged between internal endpoints and the TFD. Metrics associated with the external network addresses or the internal network addresses may be determined based on the monitoring. Correlation scores may be provided for the external network addresses and the internal network addresses based on of a correlation model, the metrics, or the other metrics. If a correlation score associated with an external network address and an internal network address exceeds a threshold value, the external network address and the internal network address may be associated with each other based on the correlation score.

Abstract: Embodiments are directed monitoring network traffic using network monitoring computers. Metrics may be determined based on monitoring network traffic associated with entities in the network such that the metrics may be included in profiles associated each entity. The profiles may be compared with other profiles in a context database based on the metrics included in each profile and each other profile. In response to the profiles being unmatched by other profiles one or more active probes may be performed to collect other metrics that may be used to update profiles. In response to the one or more profiles being matched by the other profiles in the context database, a timestamp associated with the other profiles may be updated to a current time value. Reports that include information associated with the entities and the profiles or the updated profiles may be generated.

Abstract: Embodiments are direct to monitoring communication between computers may be using network monitoring computers (NMCs). Network packets that are communicated between the computers may be captured and stored in a data store. If the NMCs identify a secure communication session established between two computers, the NMCs may obtain key information that corresponds to the secure communication session that includes a session key that may be provided by a key provider. Correlation information associated with the secure communication session may be captured by the NMCs. The correlation information may include tuple information associated with the secure communication session. And, the key information and the correlation information may be stored in a key escrow. The key information may be indexed in the key escrow using the correlation information.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Metrics may be determined based on monitoring network traffic associated with a plurality of entities each associated with a profile that includes the metrics for each entity. Beaconing metrics associated with beaconing activity may be determined based on the metrics. The profile of each entity may be compared with the beaconing metrics to determine the entities that may be engaged in beaconing activity. The entities may be characterized based on beaconing activity such that the beaconing activity includes communication with endpoints associated with the third parties, employing communication protocols associated with the third-parties, or exchanging payloads consistent with the beaconing activity. Reports that include information associated with the entities and its beaconing activity may be generated.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Two or more network segments coupled by a traffic forwarding device (TFD) may be monitored. External network addresses and internal network addresses may be determined based on encrypted network traffic exchanged between external endpoints and the TFD and internal network traffic exchanged between internal endpoints and the TFD. Metrics associated with the external network addresses or the internal network addresses may be determined based on the monitoring. Correlation scores may be provided for the external network addresses and the internal network addresses based on of a correlation model, the metrics, or the other metrics. If a correlation score associated with an external network address and an internal network address exceeds a threshold value, the external network address and the internal network address may be associated with each other based on the correlation score.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Two or more network segments coupled by a traffic forwarding device (TFD) may be monitored. External network addresses and internal network addresses may be determined based on encrypted network traffic exchanged between external endpoints and the TFD and internal network traffic exchanged between internal endpoints and the TFD. Metrics associated with the external network addresses or the internal network addresses may be determined based on the monitoring. Correlation scores may be provided for the external network addresses and the internal network addresses based on of a correlation model, the metrics, or the other metrics. If a correlation score associated with an external network address and an internal network address exceeds a threshold value, the external network address and the internal network address may be associated with each other based on the correlation score.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Metrics may be determined based on monitoring network traffic associated with a plurality of entities each associated with a profile that includes the metrics for each entity. Beaconing metrics associated with beaconing activity may be determined based on the metrics. The profile of each entity may be compared with the beaconing metrics to determine the entities that may be engaged in beaconing activity. The entities may be characterized based on beaconing activity such that the beaconing activity includes communication with endpoints associated with the third parties, employing communication protocols associated with the third-parties, or exchanging payloads consistent with the beaconing activity. Reports that include information associated with the entities and its beaconing activity may be generated.

Abstract: Embodiments are directed monitoring network traffic using network monitoring computers. Metrics may be determined based on monitoring network traffic associated with entities in the network such that the metrics may be included in profiles associated each entity. The profiles may be compared with other profiles in a context database based on the metrics included in each profile and each other profile. In response to the profiles being unmatched by other profiles one or more active probes may be performed to collect other metrics that may be used to update profiles. In response to the one or more profiles being matched by the other profiles in the context database, a timestamp associated with the other profiles may be updated to a current time value. Reports that include information associated with the entities and the profiles or the updated profiles may be generated.

Abstract: Embodiments are directed to monitoring communication between computers using network monitoring computers (NMCs). NMCs identify a secure communication session established between two of the computers based on an exchange of handshake information associated with the secure communication session. Key information that corresponds to the secure communication session may be obtained from a key provider such that the key information may be encrypted by the key provider. NMCs may decrypt the key information. NMCs may derive the session key based on the decrypted key information and the handshake information. NMCs may decrypt network packets included in the secure communication session. NMCs may be employed to inspect the one or more decrypted network packets to execute one or more rule-based policies.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). NMCs may determine requests provided to a server based on a first portion of network traffic. NMCs may determine suspicious requests based on characteristics of the provided requests. NMCs may employ the characteristics of the suspicious requests to provide correlation information that is associated with the suspicious requests. NMCs may determine dependent actions associated with the server based on a second portion of the network traffic and the correlation information. And, in response to determining anomalous activity associated with the evaluation of the dependent actions, NMCs may provide reports associated with the anomalous activity.

Abstract: Embodiments are directed to monitoring communication between computers using network monitoring computers (NMCs). NMCs identify a secure communication session established between two of the computers based on an exchange of handshake information associated with the secure communication session. Key information that corresponds to the secure communication session may be obtained from a key provider such that the key information may be encrypted by the key provider. NMCs may decrypt the key information. NMCs may derive the session key based on the decrypted key information and the handshake information. NMCs may decrypt network packets included in the secure communication session. NMCs may be employed to inspect the one or more decrypted network packets to execute one or more rule-based policies.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Two or more network segments coupled by a traffic forwarding device (TFD) may be monitored. External network addresses and internal network addresses may be determined based on encrypted network traffic exchanged between external endpoints and the TFD and internal network traffic exchanged between internal endpoints and the TFD. Metrics associated with the external network addresses or the internal network addresses may be determined based on the monitoring. Correlation scores may be provided for the external network addresses and the internal network addresses based on of a correlation model, the metrics, or the other metrics. If a correlation score associated with an external network address and an internal network address exceeds a threshold value, the external network address and the internal network address may be associated with each other based on the correlation score.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). NMCs may determine requests provided to a server based on a first portion of network traffic. NMCs may determine suspicious requests based on characteristics of the provided requests. NMCs may employ the characteristics of the suspicious requests to provide correlation information that is associated with the suspicious requests. NMCs may determine dependent actions associated with the server based on a second portion of the network traffic and the correlation information. And, in response to determining anomalous activity associated with the evaluation of the dependent actions, NMCs may provide reports associated with the anomalous activity.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). NMCs may determine requests provided to a server based on a first portion of network traffic. NMCs may determine suspicious requests based on characteristics of the provided requests. NMCs may employ the characteristics of the suspicious requests to provide correlation information that is associated with the suspicious requests. NMCs may determine dependent actions associated with the server based on a second portion of the network traffic and the correlation information. And, in response to determining anomalous activity associated with the evaluation of the dependent actions, NMCs may provide reports associated with the anomalous activity.

Abstract: Embodiments are directed to monitoring network traffic over a network. A monitoring engine may monitor flows of network packets in the network. The monitoring engine may determine an observation port that provided the network packets. The monitoring engine may determine primary network packets provided by an authoritative observation port based on which observation port provided the network packets and provide them to an analysis engine. The monitoring engine may discard a remainder of the network packets that may be associated with non-authoritative observation ports. The analysis engine may analyze the one or more primary network packets.

Abstract: Embodiments are direct to monitoring communication between computers may be using network monitoring computers (NMCs). Network packets that are communicated between the computers may be captured and stored in a data store. If the NMCs identify a secure communication session established between two computers, the NMCs may obtain key information that corresponds to the secure communication session that includes a session key that may be provided by a key provider. Correlation information associated with the secure communication session may be captured by the NMCs. The correlation information may include tuple information associated with the secure communication session. And, the key information and the correlation information may be stored in a key escrow. The key information may be indexed in the key escrow using the correlation information.

Abstract: Embodiments are direct to monitoring communication between computers may be using network monitoring computers (NMCs). Network packets that are communicated between the computers may be captured and stored in a data store. If the NMCs identify a secure communication session established between two computers, the NMCs may obtain key information that corresponds to the secure communication session that includes a session key that may be provided by a key provider. Correlation information associated with the secure communication session may be captured by the NMCs. The correlation information may include tuple information associated with the secure communication session. And, the key information and the correlation information may be stored in a key escrow. The key information may be indexed in the key escrow using the correlation information.