Abstract: A method for selectively processing a packet flow using a flow inspection engine is disclosed. The method includes receiving, by at least one hardware data plane processor component in a network packet broker, a plurality of packets associated with a packet flow, and forwarding, by the at least one hardware data plane processor component to at least one flow inspection engine, a copy of at least a portion of one or more of the initial packets of the packet flow.

Abstract: A method for network flow metadata processing at a network packet broker is described herein. The method includes, receiving, as input at a network packet broker, network traffic flow data, aggregating the network traffic flow data over a predefined time period to generate Internet protocol (IP) flow feature vectors containing metadata parameters associated with one or more particular endpoint devices, and providing the IP flow feature vectors to a machine learning element in the network packet broker. The method further includes identifying, by the machine learning element, anomalies existing in the metadata parameters included in the IP flow feature vectors, and automatically configuring one or more filter elements in the network packet broker in response to detecting the identified anomalies of the IP flow feature vectors.

Abstract: A method for selectively processing a packet flow using a flow inspection engine is disclosed. The method includes receiving, by at least one hardware data plane processor component in a network packet broker, a plurality of packets associated with a packet flow, and forwarding, by the at least one hardware data plane processor component to at least one flow inspection engine, a copy of at least a portion of one or more of the initial packets of the packet flow.

Abstract: A method for network flow metadata processing at a network packet broker is described herein. The method includes, receiving, as input at a network packet broker, network traffic flow data, aggregating the network traffic flow data over a predefined time period to generate Internet protocol (IP) flow feature vectors containing metadata parameters associated with one or more particular endpoint devices, and providing the IP flow feature vectors to a machine learning element in the network packet broker. The method further includes identifying, by the machine learning element, anomalies existing in the metadata parameters included in the IP flow feature vectors, and automatically configuring one or more filter elements in the network packet broker in response to detecting the identified anomalies of the IP flow feature vectors.

Abstract: According to one method for control plane traffic filtering in a control and user plane separation (CUPS) environment, the method occurs at a network node implemented using at least one processor and at least one memory. The method includes receiving, from one or more sources, network location information associated with a first network location; receiving control plane messages for different network locations; filtering the control plane messages based on the network location information; and sending traffic including data from the filtered control plane messages to at least one network tool.

Abstract: According to one method for control plane traffic filtering in a control and user plane separation (CUPS) environment, the method occurs at a network node implemented using at least one processor and at least one memory. The method includes receiving, from one or more sources, network location information associated with a first network location; receiving control plane messages for different network locations; filtering the control plane messages based on the network location information; and sending traffic including data from the filtered control plane messages to at least one network tool.

Abstract: Systems and methods are disclosed for subscriber sampling for network packet forwarding based upon unique subscriber identifiers. Control packets within input packets are processed to identify unique subscriber identifiers and related session identifiers, which are stored in records within a tracking table. Each input packet is analyzed to extract a session identifier and a unique subscriber identifier if present within the input packet. When a unique subscriber identifier is not present, the tracking table is accessed to determine a unique subscriber identifier associated with the session identifier extracted from the packet. The input packet is sampled based upon the unique subscriber identifier to determine whether or not to output the input packet as a sampled packet. The subscriber sampling can include hash-based sampling, dynamic function based sampling, and/or other subscriber/call based sampling methods. Sampled packets are forwarded to egress port(s) for further processing.

Abstract: Systems and methods are disclosed for subscriber sampling for network packet forwarding based upon unique subscriber identifiers. Control packets within input packets are processed to identify unique subscriber identifiers and related session identifiers, which are stored in records within a tracking table. Each input packet is analyzed to extract a session identifier and a unique subscriber identifier if present within the input packet. When a unique subscriber identifier is not present, the tracking table is accessed to determine a unique subscriber identifier associated with the session identifier extracted from the packet. The input packet is sampled based upon the unique subscriber identifier to determine whether or not to output the input packet as a sampled packet. The subscriber sampling can include hash-based sampling, dynamic function based sampling, and/or other subscriber/call based sampling methods. Sampled packets are forwarded to egress port(s) for further processing.

Abstract: Systems and methods provide concurrent security processing for multiple network security tools. An input packet is received at a network packet forwarding system from a network packet source, and the network packet forwarding system concurrently sends an output packet based upon the input packet to multiple security tools. Return packets are received based upon the output packet from the security tools after their respective security processing. Once return packets are received from each of the security tools, the network packet forwarding system forwards a secure packet to a packet destination. If a timeout occurs before all return packets are received, the network packet forwarding system can assume that the original packet was unsafe and discard information stored for the input packet. If security tools are configured to modify packets, these modifications can also be tracked.

Abstract: The subject matter described herein includes methods, systems, and computer readable media for correlating, load balancing and filtering tapped GTP and non-GTP packets. One method for correlating, load balancing and filtering tapped GTP and non-GTP packets includes receiving GTP packets tapped from a plurality of GTP network tap points. The method further includes receiving non-GTP packets tapped from at least one non-GTP network tap point. The method further includes correlating GTP packets with non-GTP packets for a particular subscriber. The method further includes forwarding the GTP packets and non-GTP packets correlated for the particular subscriber to a network monitoring tool.

Abstract: The subject matter described herein includes methods, systems, and computer readable media for correlating, load balancing and filtering tapped GTP and non-GTP packets. One method for correlating, load balancing and filtering tapped GTP and non-GTP packets includes receiving GTP packets tapped from a plurality of GTP network tap points. The method further includes receiving non-GTP packets tapped from at least one non-GTP network tap point. The method further includes correlating GTP packets with non-GTP packets for a particular subscriber. The method further includes forwarding the GTP packets and non-GTP packets correlated for the particular subscriber to a network monitoring tool.

Abstract: Latency-based timeouts are used for concurrent security processing by multiple in-line network security tools. A network system forwards secure network packets to the tools and uses latency-based timeouts with respect to the return of processed packets from the tools. Initially, the network system measures processing latencies for the tools and sets at least one timeout threshold based upon the processing latencies. The network system then receives an input packet from a network source, generates a timestamp, concurrently sends an output packet to the tools based upon the input packet, tracks return packets from the tools, and determines whether a timeout has occurred with respect to the timeout threshold based upon a difference between the timestamp and a current timestamp. If a timeout does not occur, a secure packet is forwarded to a network destination. If a timeout does occur, return packet tracking for the input packet is ended.

Abstract: Latency-based timeouts are used for concurrent security processing by multiple in-line network security tools. A network system forwards secure network packets to the tools and uses latency-based timeouts with respect to the return of processed packets from the tools. Initially, the network system measures processing latencies for the tools and sets at least one timeout threshold based upon the processing latencies. The network system then receives an input packet from a network source, generates a timestamp, concurrently sends an output packet to the tools based upon the input packet, tracks return packets from the tools, and determines whether a timeout has occurred with respect to the timeout threshold based upon a difference between the timestamp and a current timestamp. If a timeout does not occur, a secure packet is forwarded to a network destination. If a timeout does occur, return packet tracking for the input packet is ended.

Abstract: Systems and methods provide concurrent security processing for multiple network security tools. An input packet is received at a network packet forwarding system from a network packet source, and the network packet forwarding system concurrently sends an output packet based upon the input packet to multiple security tools. Return packets are received based upon the output packet from the security tools after their respective security processing. Once return packets are received from each of the security tools, the network packet forwarding system forwards a secure packet to a packet destination. If a timeout occurs before all return packets are received, the network packet forwarding system can assume that the original packet was unsafe and discard information stored for the input packet. If security tools are configured to modify packets, these modifications can also be tracked.

Abstract: Signature-based latency extraction systems and related methods are disclosed for network packet communications. Disclosed embodiments generate packet signatures (e.g., hash values) for packets received with respect to points within a network packet communication system. For each received packet, its packet signature is compared to packet signatures stored for previously received packets. If no match is found, the packet signature and a timestamp associated with the newly received packet are stored within one or more packet data tables. If a match is found, then the difference between the timestamp associated with the newly received packet and a timestamp stored with the matching packet signature are used to determine a latency value. The latency values can then be used to determine a variety of latency-related parameters for the network infrastructure being measured, and classification information can also be used to generate latency-related histograms. A variety of embodiments can be implemented.

Abstract: Traffic differentiator systems for network devices and related methods are disclosed that determine difference packets from multiple packet streams. Some embodiments are configured to receive two streams of packets with one stream being a processed version of another stream and then to determine difference packets within a lookup time window that is, for example, associated with a processing time for the second stream to be a processed version of the first stream. Difference packets within a lookup time window can also be determined for packets received within a single combined stream of packets. Difference packets and/or related statistical information is then output for additional processing, as desired. The streams of packets can be associated with ingress and egress packets for a network device, and the difference packets and related statistical information can be used to determine packets that are removed, added, and/or modified by the network device.

Abstract: Signature-based latency extraction systems and related methods are disclosed for network packet communications. Disclosed embodiments generate packet signatures (e.g., hash values) for packets received with respect to points within a network packet communication system. For each received packet, its packet signature is compared to packet signatures stored for previously received packets. If no match is found, the packet signature and a timestamp associated with the newly received packet are stored within one or more packet data tables. If a match is found, then the difference between the timestamp associated with the newly received packet and a timestamp stored with the matching packet signature are used to determine a latency value. The latency values can then be used to determine a variety of latency-related parameters for the network infrastructure being measured, and classification information can also be used to generate latency-related histograms. A variety of embodiments can be implemented.

Abstract: Traffic differentiator systems for network devices and related methods are disclosed that determine difference packets from multiple packet streams. Some embodiments are configured to receive two streams of packets with one stream being a processed version of another stream and then to determine difference packets within a lookup time window that is, for example, associated with a processing time for the second stream to be a processed version of the first stream. Difference packets within a lookup time window can also be determined for packets received within a single combined stream of packets. Difference packets and/or related statistical information is then output for additional processing, as desired. The streams of packets can be associated with ingress and egress packets for a network device, and the difference packets and related statistical information can be used to determine packets that are removed, added, and/or modified by the network device.

Abstract: Systems and methods are disclosed for mobile user identification and tracking for load balancing in packet processing systems. Packet processing systems, such as network tool optimizer (NTO) systems, are configured to receive packets associated with multiple mobile users, to extract user identification information from the packets, to store identity binding information for the mobile users, to track changes in identification information for mobile users within a communication system by analyzing control information within packets for the communication system, and to forward packets to one or more tool ports associated with the packet processing system. The packet processing systems disclosed thereby allow for user packets to be identified and sent to the same load-balanced network tool, even though the user identification information changes over time within the communication system.

Abstract: Systems and methods are disclosed for modifying network packets to use unrecognized headers/fields for packet classification and forwarding in packet processing systems, such as network tool optimizer (NTO) devices. The packet modifications described allow standard switch or routing integrated circuits (ICs) to process, classify, and forward packets based upon data that is not typically recognized by the hardware capabilities of the standard packet routing circuitry for packet processing. Input packets are modified so that unrecognized data becomes recognized data for purposes of packet processing, classification, and forwarding by the packet routing circuitry. These modifications are then removed after packets are processed to reform the original packets. The original packets are then provided to destination devices based upon packet classification and forwarding control information.