Abstract: An efficient streaming method and apparatus for detecting hierarchical heavy hitters from massive data streams is disclosed. In one embodiment, the method enables near real time detection of anomaly behavior in networks.

Abstract: A method for producing a summary A of data points in an unaggregated data stream wherein the data points are in the form of weighted keys (a, w) where a is a key and w is a weight, and the summary is a sample of k keys a with adjusted weights wa. A first reservoir L includes keys having adjusted weights which are additions of weights of individual data points of included keys and a second reservoir T includes keys having adjusted weights which are each equal to a threshold value ? whose value is adjusted based upon tests of new data points arriving in the data stream. The summary combines the keys and adjusted weights of the first reservoir L with the keys and adjusted weights of the second reservoir T to form the sample representing the data stream upon which further analysis may be performed.

Abstract: Performance for a network is measured by sending multi-objective probes on a path, receiving at least one of the multi-objective probes for the path, and determining performance measurements for at least two parameters of the path determined from the at least one of the multi-objective probes. Separate algorithms are simultaneously executed to measure the at least two parameters of the path determined from the at least one of the multi-objective probes.

Abstract: Statistical methods are used to observe packet flow arrival processes and to infer routing changes from those observations. Packet flow arrivals are monitored using NetFlow or another packet flow monitoring arrangement. Packet flow arrivals are quantified by counting arrivals per unit time, or by measuring an inter-arrival time between flows. When a change in packet flow arrivals is determined to be statistically significant, a change in network routing protocol is reported.

Abstract: In one embodiment, the present disclosure is a method and apparatus for classifying applications using the collective properties of network traffic. In one embodiment, a method for classifying traffic in a communication network includes receiving a traffic activity graph, the traffic activity graph comprising a plurality of nodes interconnected by a plurality of edges, where each of the nodes represents an endpoint associated with the communication network and each of the edges represents traffic between a corresponding pair of the nodes, generating an initial set of inferences as to an application class associated with each of the edges, based on at least one measured statistic related to at least one traffic flow in the communication network, and refining the initial set of inferences based on a spatial distribution of the traffic flows, to produce a final traffic activity graph.

Abstract: A device includes a processor configured to determine a number of users in each of a plurality of wireless telephone cells of a trajectory in a wireless telephone network. The processor is also configured to determine handoff data between each adjacent pair of the wireless telephone cells, and to determine a first number of users traveling along the trajectory in the wireless telephone network while on a telephone call. The processor also calculates a total number of users associated with the trajectory in the wireless telephone network based on the handoff data between each adjacent pair of the wireless telephone cells, and based on the first number of users traveling along the trajectory while on the telephone call.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for approximating an accent source. A system practicing the method collects data associated with customer specific services, generates country-specific or dialect-specific weights for each service in the customer specific services list, generates a summary weight based on an aggregation of the country-specific or dialect-specific weights, and sets an interactive voice response system language model based on the summary weight and the country-specific or dialect-specific weights. The interactive voice response system can also change the user interface based on the interactive voice response system language model. The interactive voice response system can tune a voice recognition algorithm based on the summary weight and the country-specific weights. The interactive voice response system can adjust phoneme matching in the language model based on a possibility that the speaker is using other languages.

Abstract: A method and an apparatus for providing a measurement of performance for a network are disclosed. For example, the method sends a plurality of multi-objective probes on a path, and receives one or more of said plurality of multi-objective probes for the path. The method then determines a plurality of performance measurements.

Abstract: Disclosed herein are systems, computer-implemented methods, and computer-readable media for sampling network traffic. The method includes receiving a desired quantity of flow record to sample, receiving a plurality of network flow record each summarizing a network flow of packets, calculating a hash for each flow record of based on one or more invariant part of a respective flow, generating a quasi-random number from the calculated hash for each respective flow record, generating a priority from the calculated hash for each respective flow record, and sampling exactly the desired quantity of flow records, selecting flow records having a highest priority first. In one aspect, the method further partitions the plurality of flow records into groups based on flow origin and destination, generates an individual priority for each partitioned group, and separately samples exactly the desired quantity of flow records from each partitioned group, selecting flows having a highest individual priority first.

Abstract: The present invention relates to a method of obtaining a generic sample of an input stream. The method is designated as VAROPTk. The method comprises receiving an input stream of items arriving one at a time, and maintaining a sample S of items i. The sample S has a capacity for at most k items i. The sample S is filled with k items i. An nth item i is received. It is determined whether the nth item i should be included in sample S. If the nth item i is included in sample S, then a previously included item i is dropped from sample S. The determination is made based on weights of items without distinguishing between previously included items i and the nth item i. The determination is implemented thereby updating weights of items i in sample S. The method is repeated until no more items are received.

Abstract: A method and apparatus for providing performance measurements on network tunnels in packet networks are disclosed. For example, the method establishes two tunnels between a first measurement host and a first router, and establishes a tunnel between the first router and a second measurement host. The method also establishes a multicast group having a plurality of members, and sends one or more packets addressed to the multicast group from the first measurement host. The method measures the frequencies of directly and/or indirectly received responses from the plurality of members of the multicast group, and provides a plurality of estimated values for a plurality of packet transmission rates from measurement of the frequencies for one or more of said tunnels.

Abstract: A multi-staged framework for detecting and diagnosing Denial of Service attacks is disclosed in which a low-cost anomaly detection mechanism is first used to collect coarse data, such as may be obtained from Simple Network Management Protocol (SNMP) data flows. Such data is analyzed to detect volume anomalies that could possibly be indicative of a DDoS attack. If such an anomaly is suspected, incident reports are then generated and used to trigger the collection and analysis of fine grained data, such as that available in Netflow data flows. Both types of collection and analysis are illustratively conducted at edge routers within the service provider network that interface customers and customer networks to the service provider. Once records of the more detailed information have been retrieved, they are examined to determine whether the anomaly represents a distributed denial of service attack, at which point an alarm is generated.

Abstract: Methods and apparatus to bound network traffic estimation error for multistage measurement sampling and aggregation are disclosed.

Abstract: A method and apparatus for detecting and localizing an anomaly for a network are disclosed. For example, the method sends a first set of probe packets on at least one path of the network, and detects a performance anomaly on a first path of the at least one path. The method then identifies at least one link on the first path that is responsible for the performance anomaly by applying a second set of probe packets.

Abstract: A method for producing a summary A of data points in an unaggregated data stream wherein the data points are in the form of weighted keys (a, w) where a is a key and w is a weight, and the summary is a sample of k keys a with adjusted weights wa. A first reservoir L includes keys having adjusted weights which are additions of weights of individual data points of included keys and a second reservoir T includes keys having adjusted weights which are each equal to a threshold value ? whose value is adjusted based upon tests of new data points arriving in the data stream. The summary combines the keys and adjusted weights of the first reservoir L with the keys and adjusted weights of the second reservoir T to form the sample representing the data stream upon which further analysis may be performed.

Abstract: Disclosed herein are systems, computer-implemented methods, and computer-readable media for sampling network traffic. The method includes receiving a plurality of flow records, calculating a hash for each flow record based on one or more invariant part of a respective flow, generating a quasi-random number from the calculated hash for each respective flow record, and sampling flow records having a quasi-random number below a probability P. Invariant parts of flow records include destination IP address, source IP address, TCP/UDP port numbers, TCP flags, and network protocol. A plurality of routers can uniformly calculate hashes for flow records. Each router in a plurality of routers can generate a same quasi-random number for each respective flow record and uses different values for probability P. The probability P can depend on a flow size. The method can divide the quasi-random number by a maximum possible hash value.

Abstract: An efficient streaming method and apparatus for detecting hierarchical heavy hitters from massive data streams is disclosed. In one embodiment, the method enables near real time detection of anomaly behavior in networks.

Abstract: A packet loss estimation technique is disclosed that utilizes the sampled flow level statistics that are routinely collected in operational networks, thereby obviating the need for any new router features or measurement infrastructure. The technique is specifically designed to handle the challenges of sampled flow-level aggregation such as information loss resulting from packet sampling, and generally comprises: receiving a first record of sampled packets for a flow from a first network element; receiving a second record of sampled packets for the flow from a second network element communicating with the first network element; correlating sampled packets from the flow at the first network element and the second network element to a measurement interval; and estimating the packet loss using a count of the sampled packets correlated to the measurement interval.

Abstract: An efficient streaming method and apparatus for detecting hierarchical heavy hitters from massive data streams is disclosed. In one embodiment, the method enables near real time detection of anomaly behavior in networks.

Abstract: A traffic classifier has a plurality of binary classifiers, each associated with one of a plurality of calibrators. Each calibrator trained to translate an output score of the associated binary classifier into an estimated class probability value using a fitted logistic curve, each estimated class probability value indicating a probability that the packet flow on which the output score is based belongs to the traffic class associated with the binary classifier associated with the calibrator. The classifier training system configured to generate a training data based on network information gained using flow and packet sampling methods. In some embodiments, the classifier training system configured to generate reduced training data sets, one for each traffic class, reducing the training data related to traffic not associated with the traffic class.