Abstract: Systems, methods, and computer-readable media are provided for determining a packet's round trip time (RTT) in a network. A system can receive information of a packet sent by a component of the network and further determine an expected acknowledgement (ACK) sequence number associated with the packet based upon received information of the packet. The system can receive information of a subsequent packet received by the component and determine an ACK sequence number and a receiving time of the subsequent packet. In response to determining that the ACK sequence number of the subsequent TCP packet matches the expected ACK sequence number, the system can determine a round trip time (RTT) of the packet based upon the received information of the packet and the received information of the subsequent packet.

Abstract: A network can achieve compliance by defining and enforcing a set of network policies to secure protected electronic information. The network can monitor network data, host/endpoint data, process data, and user data for traffic using a sensor network that provides multiple perspectives. The sensor network can include sensors for networking devices, physical servers, hypervisors or shared kernels, virtual partitions, and other network components. The network can analyze the network data, host/endpoint data, process data, and user data to determine policies for traffic. The network can determine expected network actions based on the policies, such as allowing traffic, denying traffic, configuring traffic for quality of service (QoS), or redirecting traffic along a specific route. The network can update policy data based on the expected network actions and actual network actions. The policy data can be utilized for compliance.

Abstract: Systems, methods, and computer-readable media for determining sensor placement and topology. In some embodiments, a system can receive messages from sensors deployed around a network, each of the messages reporting a respective flow captured by a reporting sensor from the sensors. Next, the system can identify flows reported in the messages and, for each of the flows, generate a respective list of sensors that reported that flow. Based on the respective list of sensors, the system can infer a respective placement of the sensors within the network and a topology of the sensors. For example, the system can determine that a first sensor is deployed in a virtual machine, a second sensor is deployed in a hypervisor hosting the virtual machine, and a third sensor is deployed in a network device configured to route traffic associated with the hypervisor.

Abstract: Systems, methods, and computer-readable media for updating configurations in sensors deployed in multi-layer virtualized environments. In some examples, a system can track information of sensors and collectors in the network. In response to determining that a specific collector becomes unavailable (e.g., the specific collector is down, offline or becomes unsupported), the system can determine affected sensors corresponding to the specific collector, determine a new collector among active collectors of the network for each of the affected sensors, and dynamically update configuration and settings of the affected sensors to maintain proper collector-to-sensor mappings and other settings on the affected sensors.

Abstract: A method includes capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data, capturing second data associated with a second packet flow originating from the first host from a second capture agent deployed on a second host to yield second flow data and comparing the first flow data and the second flow data to yield a difference. When the difference is above a threshold value, the method includes determining that the second packet flow was transmitted by a component that bypassed an operating stack of the first host or a packet capture agent at the device to yield a determination, detecting that hidden network traffic exists, and predicting a malware issue with the first host based on the determination.

Abstract: A method provides for receiving network traffic from a host having a host IP address and operating in a data center, and analyzing a malware tracker for IP addresses of hosts having been infected by a malware to yield an analysis. When the analysis indicates that the host IP address has been used to communicate with an external host infected by the malware to yield an indication, the method includes assigning a reputation score, based on the indication, to the host. The method can further include applying a conditional policy associated with using the host based on the reputation score. The reputation score can include a reduced reputation score from a previous reputation score for the host.

Abstract: An example method includes detecting, using sensors, packets throughout a datacenter. The sensors can then send packet logs to various collectors which can then identify and summarize data flows in the datacenter. The collectors can then send flow logs to an analytics module which can identify the status of the datacenter and detect an attack.

Abstract: Managing a network environment to identify spoofed packets is disclosed. A method includes analyzing, via a first capture agent, packets processed by a first environment in a network associated with a first host, and analyzing, via a second capture agent, packets processed by a second environment in the network associated with a second host. The method includes collecting the first data and the second data at a collector and generating a topological map of the network and a history of network activity associated with the first environment and the second environment. The method includes extracting network data from a packet and comparing the extracted network data with stored network data in the database. When the comparison indicates that the extracted network data does not match the stored network data (i.e., the reported source does not match an expected source for the packet), determining that the packet is a spoofed packet.

Abstract: Systems, methods, and computer-readable media for detecting sensor deployment characteristics in a network. In some embodiments, a system can run a capturing agent deployed on a virtualization environment of the system. The capturing agent can query the virtualization environment for one or more environment parameters, and receive a response from the virtualized environment including the one or more environment parameters. Based on the one or more environment parameters, the capturing agent can determine whether the virtualization environment where the capturing agent is deployed is a hypervisor or a virtual machine. The capturing agent can also determine what type of software switch is running in the virtualized environment.

Abstract: Systems, methods, and computer-readable media for managing compromised sensors in multi-tiered virtualized environments. In some embodiments, a system can receive, from a first capturing agent deployed in a virtualization layer of a first device, data reports generated based on traffic captured by the first capturing agent. The system can also receive, from a second capturing agent deployed in a hardware layer of a second device, data reports generated based on traffic captured by the second capturing agent. Based on the data reports, the system can determine characteristics of the traffic captured by the first capturing agent and the second capturing agent. The system can then compare the characteristics to determine a multi-layer difference in traffic characteristics. Based on the multi-layer difference in traffic characteristics, the system can determine that the first capturing agent or the second capturing agent is in a faulty state.

Abstract: Systems, methods, and computer-readable media for managing compromised sensors in multi-tiered virtualized environments. A method includes determining a lineage for a process within the network and then evaluating, through knowledge of the lineage, the source of the command that initiated the process. The method includes capturing data from a plurality of capture agents at different layers of a network, each capture agent of the plurality of capture agents configured to observe network activity at a particular location in the network, developing, based on the data, a lineage for a process associated with the network activity and, based on the lineage, identifying an anomaly within the network.

Abstract: An example method includes calculating latency bounds for communications from two sensors to a collector (i.e., maximum and minimum latencies). After the collector receives an event report from the first sensor and an event report form the second sensor, the collector can determine, using the latency bounds, whether one event likely preceded the other.

Abstract: Systems, methods, and computer-readable media for annotating process and user information for network flows. In some embodiments, a capturing agent, executing on a first device in a network, can monitor a network flow associated with the first device. The first device can be, for example, a virtual machine, a hypervisor, a server, or a network device. Next, the capturing agent can generate a control flow based on the network flow. The control flow may include metadata that describes the network flow. The capturing agent can then determine which process executing on the first device is associated with the network flow and label the control flow with this information. Finally, the capturing agent can transmit the labeled control flow to a second device, such as a collector, in the network.

Abstract: Systems, methods, and computer-readable media for hierarchichal sharding of flows from sensors to collectors. A first collector can receive a first portion of a network flow from a first capturing agent and determine that a second portion of the network flow was not received from the first capturing agent. The first collector can then send the first portion of the network flow to a second collector. A third collector can receive the second portion of the network flow from a second capturing agent and determine that the third collector did not receive the first portion of the network flow. The third collector can then send the second portion of the network flow to the second collector. The second collector can then aggregate the first portion and second portion of the network flow to yield the entire portion of the network flow.

Abstract: Conditional policies can be defined that change based on security measurements of network endpoints. In an example embodiment, a network traffic monitoring system can monitor network flows between the endpoints and quantify how secure those endpoints are based on analysis of the network flows and other data. A conditional policy may be created that establishes one or more first connectivity policies for handling a packet when a security measurement of an endpoint is a first value or first range values, and one or more second connectivity policies for handling the packet. The connectivity policies may include permitting connectivity, denying connectivity, redirecting the packet using a specific route, or other network action. When the network traffic monitoring system detects a change to the security measurement of the endpoint, one or more applicable policies can be determined and the system can update policy data for the network to enforce the policies.

Abstract: A method includes analyzing, via a first capturing agent, packets processed in a first environment associated with a first host to yield first data. The method includes analyzing, via a second capturing agent, packets processed by a second environment associated with a second host to yield second data, collecting the first data and the second data at a collector to yield aggregated data, transmitting the aggregated data to an analysis engine which analyzes the aggregated data to yield an analysis. Based on the analysis, the method includes identifying first packet loss at the first environment and second packet loss at the second environment.

Abstract: A network can achieve compliance by defining and enforcing a set of network policies to secure protected electronic information. The network can monitor network data, host/endpoint data, process data, and user data for traffic using a sensor network that provides multiple perspectives. The sensor network can include sensors for networking devices, physical servers, hypervisors or shared kernels, virtual partitions, and other network components. The network can analyze the network data, host/endpoint data, process data, and user data to determine policies for traffic. The network can determine expected network actions based on the policies, such as allowing traffic, denying traffic, configuring traffic for quality of service (QoS), or redirecting traffic along a specific route. The network can update policy data based on the expected network actions and actual network actions. The policy data can be utilized for compliance.

Abstract: Systems, methods, and computer-readable media for collector high availability. In some embodiments, a system receives, from a first collector device, a first data report generated by a capturing agent deployed on a host system in a network. The system can also receive, from a second collector device, a second data report generated by the capturing agent deployed on the host system. The first and second data reports can include traffic data captured at the host system by the capturing agent during a period of time. The system can determine that the first data report and the second data report are both associated with the capturing agent, and identify duplicate data contained in the first data report and the second data report. The system can then deduplicate the first and second data reports to yield a deduplicated data report.

Abstract: Systems, methods, and computer-readable media are provided for determining a packet's round trip time (RTT) in a network. A system can receive information of a packet sent by a component of the network and further determine an expected acknowledgement (ACK) sequence number associated with the packet based upon received information of the packet. The system can receive information of a subsequent packet received by the component and determine an ACK sequence number and a receiving time of the subsequent packet. In response to determining that the ACK sequence number of the subsequent TCP packet matches the expected ACK sequence number, the system can determine a round trip time (RTT) of the packet based upon the received information of the packet and the received information of the subsequent packet.

Abstract: Systems, methods, and computer-readable media for identifying bogon addresses. A system can obtain an indication of address spaces in a network. The indication can be based on route advertisements transmitted by routers associated with the network. The system can receive a report generated by a capturing agent deployed on a host. The report can identify a flow captured by the capturing agent at the host. The system can identify a network address associated with the flow and, based on the indication of address spaces, the system can determine whether the network address is within the address spaces in the network. When the network address is not within the address spaces in the network, the system can determine that the network address is a bogon address. When the network address is within the address spaces in the network, the system can determine that the network address is not a bogon address.