Abstract: The present invention develops an efficient streaming method for detecting multidimensional hierarchical heavy hitters from massive data streams and enables near real time detection of anomaly behavior in networks.

Abstract: An efficient streaming method and apparatus for detecting hierarchical heavy hitters from massive data streams is disclosed. In one embodiment, the method enables near real time detection of anomaly behavior in networks.

Abstract: An efficient streaming method and apparatus for detecting hierarchical heavy hitters from massive data streams is disclosed. In one embodiment, the method enables near real time detection of anomaly behavior in networks.

Abstract: The present invention develops an efficient streaming method for detecting multidimensional hierarchical heavy hitters from massive data streams and enables near real time detection of anomaly behavior in networks.

Abstract: The present invention provides apparatus for sampling data flows in a data network in order to estimate a total data volume in the network. Sampling the data flows in the data network reduces the network resources that must be expended by the network to support the associated activity. The present invention enables the service provider of the data network to control sampled volumes in relation to the desired accuracy. The control can be either static or can be dynamic for cases in which the data volumes are changing as a function of time.

Abstract: A multi-staged framework for detecting and diagnosing Denial of Service attacks is disclosed in which a low-cost anomaly detection mechanism is first used to collect coarse data, such as may be obtained from Simple Network Management Protocol (SNMP) data flows. Such data is analyzed to detect volume anomalies that could possibly be indicative of a DDoS attack. If such an anomaly is suspected, incident reports are then generated and used to trigger the collection and analysis of fine grained data, such as that available in Netflow data flows. Both types of collection and analysis are illustratively conducted at edge routers within the service provider network that interface customers and customer networks to the service provider. Once records of the more detailed information have been retrieved, they are examined to determine whether the anomaly represents a distributed denial of service attack, at which point an alarm is generated.

Abstract: Two regularized estimators that avoid the pathologies associated with variance estimation are disclosed. The regularized variance estimator adds a contribution to estimated variance representing the likely error, and hence ameliorates the pathologies of estimating small variances while at the same time allowing more reliable estimates to be balanced in the convex combination estimator. The bounded variance estimator employs an upper bound to the variance which avoids estimation pathologies when sampling probabilities are very small.

Abstract: Certain exemplary embodiments comprise a method comprising: for selected traffic that enters a backbone network via a predetermined ingress point and is addressed to a predetermined destination, via a dynamic tunnel, automatically diverting the selected traffic from the predetermined ingress point to a processing complex; and automatically forwarding the selected traffic from the processing complex toward the predetermined destination.

Abstract: An apparatus for optimizing a filter based on detected attacks on a data network includes an estimation means and an optimization means. The estimation means operates when a detector detects an attack and the detector transmits an inaccurate attack severity. The estimation means determines an accurate attack severity. The optimization means adjusts a parameter and the parameter is an input to a filter.