Abstract: Disclosed herein are system, method, and computer program product embodiments for providing an anomaly detection system. Some aspects of this disclosure include a method for detecting anomaly in a network device. The method includes determining one or more similarity values between a flow vector corresponding to a flow associated with the network device and one or more flow clusters associated with the network device. The method further includes determining a maximum similarity value as a maximum of the one or more similarity values and comparing the maximum similarity value to a threshold. The method also includes, in response to the maximum similarity value being equal to or greater than the threshold, updating a flow cluster associated with the maximum similarity value. The method also includes, in response to the maximum similarity measure being less than the threshold, detecting the anomaly in the network device.

Abstract: Systems and methods are disclosed herein for monitoring health of each switch of a plurality of switches on a network by selectively mirroring packets transmitted by each switch of the plurality of switches. In some embodiments, control circuitry generates a plurality of mirroring parameters, each mirroring parameter comprising an instruction to mirror a respective type of packet. The control circuitry transmits the plurality of mirroring parameters to each switch of the plurality of switches on the network, and receives, from a switch, a packet that was mirrored by the switch according to a mirroring parameter of the plurality of mirroring parameters. The control circuitry determines the respective type of the packet, executes an analysis of contents of the packet based on the respective type of the packet, and determines a health of the switch based on results of the analysis.

Abstract: Disclosed herein are system, method, and computer program product embodiments for providing an anomaly detection system. Some aspects of this disclosure include a method for detecting anomaly in a network device. The method includes determining one or more similarity values between a flow vector corresponding to a flow associated with the network device and one or more flow clusters associated with the network device. The method further includes determining a maximum similarity value as a maximum of the one or more similarity values and comparing the maximum similarity value to a threshold. The method also includes, in response to the maximum similarity value being equal to or greater than the threshold, updating a flow cluster associated with the maximum similarity value. The method also includes, in response to the maximum similarity measure being less than the threshold, detecting the anomaly in the network device.

Abstract: Systems and methods are disclosed herein for reducing storage space used in tracking behavior of a plurality of network endpoints by modeling the behavior with a behavior model. To this end, control circuitry may determine a respective network endpoint, of a plurality of network endpoints, to which each respective record of a plurality of received records corresponds. The control circuitry then may assign a dedicated queue for each respective network endpoint, and transmit, to each dedicated queue, each record that corresponds to the respective network endpoint to which the respective dedicated queue is assigned. The control circuitry may then determine, for each respective network endpoint, a respective behavior model, and may store each respective behavior model to memory.

Abstract: Systems and methods are disclosed herein for reducing storage space used in tracking behavior of a plurality of network endpoints by modeling the behavior with a behavior model. To this end, control circuitry may determine a respective network endpoint, of a plurality of network endpoints, to which each respective record of a plurality of received records corresponds. The control circuitry then may assign a dedicated queue for each respective network endpoint, and transmit, to each dedicated queue, each record that corresponds to the respective network endpoint to which the respective dedicated queue is assigned. The control circuitry may then determine, for each respective network endpoint, a respective behavior model, and may store each respective behavior model to memory.

Abstract: Systems and methods are disclosed herein for monitoring health of each switch of a plurality of switches on a network by selectively mirroring packets transmitted by each switch of the plurality of switches. In some embodiments, control circuitry generates a plurality of mirroring parameters, each mirroring parameter comprising an instruction to mirror a respective type of packet. The control circuitry transmits the plurality of mirroring parameters to each switch of the plurality of switches on the network, and receives, from a switch, a packet that was mirrored by the switch according to a mirroring parameter of the plurality of mirroring parameters. The control circuitry determines the respective type of the packet, executes an analysis of contents of the packet based on the respective type of the packet, and determines a health of the switch based on results of the analysis.

Abstract: Systems and methods are disclosed herein for monitoring health of each switch of a plurality of switches on a network by selectively mirroring packets transmitted by each switch of the plurality of switches. In some embodiments, control circuitry generates a plurality of mirroring parameters, each mirroring parameter comprising an instruction to mirror a respective type of packet. The control circuitry transmits the plurality of mirroring parameters to each switch of the plurality of switches on the network, and receives, from a switch, a packet that was mirrored by the switch according to a mirroring parameter of the plurality of mirroring parameters. The control circuitry determines the respective type of the packet, executes an analysis of contents of the packet based on the respective type of the packet, and determines a health of the switch based on results of the analysis.

Abstract: Disclosed herein are system, method, and computer program product embodiments for providing an anomaly detection system. Some aspects of this disclosure include a method for detecting anomaly in a network device. The method includes determining one or more similarity values between a flow vector corresponding to a flow associated with the network device and one or more flow clusters associated with the network device. The method further includes determining a maximum similarity value as a maximum of the one or more similarity values and comparing the maximum similarity value to a threshold. The method also includes, in response to the maximum similarity value being equal to or greater than the threshold, updating a flow cluster associated with the maximum similarity value. The method also includes, in response to the maximum similarity measure being less than the threshold, detecting the anomaly in the network device.

Abstract: A function is provided in a network system for the dynamic mirroring of network traffic for a variety of purposes including the identification of characteristics of the traffic. Multiple criteria are established for when, what and where to mirror the traffic. The criteria include what frames of traffic to mirror, what portions of the selected frames to mirror, one or more portals through which to minor the selected frames, a destination for the mirroring and the establishment of a mirror in a device to carry out the mirroring. The criteria may also include when to stop the mirroring. The mirroring instructions can be changed based on the detection of a triggering event, such as authentication, device type or status, ownership of an attached function attached to the device, flow status, but not limited to that. The function may be established in one or more devices of the network.

Abstract: Systems and methods are presented herewith for selecting a preferred route for routing a packet from a first network node to a second network node. A set of possible routes is maintained, with each route having am associated weight value. A random subset of routes is then selected based on the weight values. Each route of the subset is then probed to determine its gain value. The preferred route is selected based on the gain values (e.g., by selecting the highest gain value). Then, all weight values are updated based on the respective gain values. The steps are periodically repeated. Then, whenever a packet needs to be routed, the route currently designated as preferred is used.

Abstract: Systems and methods are presented herewith for selecting a preferred route for routing a packet from a first network node to a second network node. A set of possible routes is maintained, with each route having am associated weight value. A random subset of routes is then selected based on the weight values. Each route of the subset is then probed to determine its gain value. The preferred route is selected based on the gain values (e.g., by selecting the highest gain value). Then, all weight values are updated based on the respective gain values. The steps are parodically repeated. Then, whenever a packet needs to be routed, the route currently designated as preferred is used.

Abstract: Systems and methods are disclosed herein for reducing storage space used in tracking behavior of a plurality of network endpoints by modeling the behavior with a behavior model. To this end, control circuitry may determine a respective network endpoint, of a plurality of network endpoints, to which each respective record of a plurality of received records corresponds. The control circuitry then may assign a dedicated queue for each respective network endpoint, and transmit, to each dedicated queue, each record that corresponds to the respective network endpoint to which the respective dedicated queue is assigned. The control circuitry may then determine, for each respective network endpoint, a respective behavior model, and may store each respective behavior model to memory.

Abstract: Systems and methods are disclosed herein for monitoring health of each switch of a plurality of switches on a network by selectively mirroring packets transmitted by each switch of the plurality of switches. In some embodiments, control circuitry generates a plurality of mirroring parameters, each mirroring parameter comprising an instruction to mirror a respective type of packet. The control circuitry transmits the plurality of mirroring parameters to each switch of the plurality of switches on the network, and receives, from a switch, a packet that was mirrored by the switch according to a mirroring parameter of the plurality of mirroring parameters. The control circuitry determines the respective type of the packet, executes an analysis of contents of the packet based on the respective type of the packet, and determines a health of the switch based on results of the analysis.

Abstract: A function is provided in a network system for the dynamic mirroring of network traffic for a variety of purposes including the identification of characteristics of the traffic. Multiple criteria are established for when, what and where to mirror the traffic. The criteria include what frames of traffic to mirror, what portions of the selected frames to mirror, one or more portals through which to minor the selected frames, a destination for the mirroring and the establishment of a mirror in a device to carry out the mirroring. The criteria may also include when to stop the mirroring. The mirroring instructions can be changed based on the detection of a triggering event, such as authentication, device type or status, ownership of an attached function attached to the device, flow status, but not limited to that. The function may be established in one or more devices of the network.

Abstract: A function is provided in a network system for the dynamic mirroring of network traffic for a variety of purposes including the identification of characteristics of the traffic. Multiple criteria are established for when, what and where to mirror the traffic. The criteria include what frames of traffic to mirror, what portions of the selected frames to mirror, one or more portals through which to mirror the selected frames, a destination for the mirroring and the establishment of a mirror in a device to carry out the mirroring. The criteria may also include when to stop the mirroring. The mirroring instructions can be changed based on the detection of a triggering event, such as authentication, device type or status, ownership of an attached function attached to the device, flow status, but not limited to that. The function may be established in one or more devices of the network.

Abstract: A function is provided in a network system for adjusting network policies associated with the operation of network infrastructure devices of the network system. Network policies are established on network devices including packet forwarding devices. The network has a capability to identify computer applications associated with traffic running on the network. A network policy controller of the network is arranged to change one or more policies of one or more network devices based on computer application information acquired. The policies changed may be network policies as well as mirroring policies. An example policy to change is direct a network device to mirror traffic to an application identification appliance for the purpose of identifying applications running on the network through a plurality of mechanisms. The function may be provided in one or more devices of the network.

Abstract: A function is provided in a network system for policy-based dynamic mirroring for network traffic. The function monitors events, topology and status of the network and installs, enables, selects or changes traffic mirrors associated with the operation of one or more devices of the network. The mirror policies are established based on network polices and/or rules. The mirror policies and the enablement, installation, selection or changing of them are based on multiple criteria. The function provides for the selection of traffic to mirror, how much of it to mirror, where to mirror it and when to stop the mirroring. The function may be established in network entry devices as well as core switching devices of the network. The function can select portals for the mirroring activity and can secure the mirroring.

Abstract: A network architecture system that expands the control network administrators have on existing networks. The system provides application identification and usage data, by user, by device and network location. Dynamic traffic mirroring of the system allows for the efficient use of a tool to identify computer applications running on the network. The system includes the ability to embed the tool where needed rather than pervasively based on the use of the dynamic mirroring to bring the packets to the tool. The architecture implemented functions allow the ability to start small with a single application identification tool added to a network management server, examine flows from throughout the network (via mirroring) and upgrade policy control based on real application identification data and usage, then grow to pervasive deployment where virtually all new flows could be identified and controlled via policy. This architecture enables substantially complete application visibility and control.

Abstract: A function is provided in a network system for the dynamic mirroring of network traffic for a variety of purposes including the identification of characteristics of the traffic. Multiple criteria are established for when, what and where to mirror the traffic. The criteria include what frames of traffic to mirror, what portions of the selected frames to mirror, one or more portals through which to mirror the selected frames, a destination for the mirroring and the establishment of a mirror in a device to carry out the mirroring. The criteria may also include when to stop the mirroring. The mirroring instructions can be changed based on the detection of a triggering event, such as authentication, device type or status, ownership of an attached function attached to the device, flow status, but not limited to that. The function may be established in one or more devices of the network.

Abstract: A function is provided in a network system for the dynamic mirroring of network traffic for a variety of purposes including the identification of characteristics of the traffic. Multiple criteria are established for when, what and where to mirror the traffic. The criteria include what frames of traffic to mirror, what portions of the selected frames to mirror, one or more portals through which to mirror the selected frames, a destination for the mirroring and the establishment of a mirror in a device to carry out the mirroring. The criteria may also include when to stop the mirroring. The mirroring instructions can be changed based on the detection of a triggering event, such as authentication, device type or status, ownership of an attached function attached to the device, flow status, but not limited to that. The function may be established in one or more devices of the network.