Abstract: An example method according to some embodiments includes receiving flow data for a packet traversing a network. The method continues by determining a source endpoint group and a destination endpoint group for the packet. The method continues by determining that a policy was utilized, the policy being applicable to the endpoint group. Finally, the method includes updating utilization data for the policy based on the flow data.

Abstract: Systems, methods, and computer-readable media for identifying bogon addresses. A system can obtain an indication of address spaces in a network. The indication can be based on route advertisements transmitted by routers associated with the network. The system can receive a report generated by a capturing agent deployed on a host. The report can identify a flow captured by the capturing agent at the host. The system can identify a network address associated with the flow and, based on the indication of address spaces, the system can determine whether the network address is within the address spaces in the network. When the network address is not within the address spaces in the network, the system can determine that the network address is a bogon address. When the network address is within the address spaces in the network, the system can determine that the network address is not a bogon address.

Abstract: Systems, methods, and computer-readable media for determining sensor placement and topology. In some embodiments, a system can receive messages from sensors deployed around a network, each of the messages reporting a respective flow captured by a reporting sensor from the sensors. Next, the system can identify flows reported in the messages and, for each of the flows, generate a respective list of sensors that reported that flow. Based on the respective list of sensors, the system can infer a respective placement of the sensors within the network and a topology of the sensors. For example, the system can determine that a first sensor is deployed in a virtual machine, a second sensor is deployed in a hypervisor hosting the virtual machine, and a third sensor is deployed in a network device configured to route traffic associated with the hypervisor.

Abstract: An approach for detecting anomalous flows in a network using header field entropy. This can be useful in detecting anomalous or malicious traffic that may attempt to “hide” or inject itself into legitimate flows. A malicious endpoint might attempt to send a control message in underutilized header fields or might try to inject illegitimate data into a legitimate flow. These illegitimate flows will likely demonstrate header field entropy that is higher than legitimate flows. Detecting anomalous flows using header field entropy can help detect malicious endpoints.

Abstract: An example method can include receiving a traffic report from a sensor and using the traffic report to detect intra-datacenter flows. These intra-datacenter flows can then be compared with a description of historical flows. The description of historical flows can identify characteristics of normal and malicious flows. Based on the comparison, the flows can be classified and tagged as normal, malicious, or anomalous. If the flows are tagged as malicious or anomalous, corrective action can be taken with respect to the flows. A description of the flows can then be added to the description of historical flows.

Abstract: This disclosure generally relate to a method and system for network policy simulation in a distributed computing system. The present technology relates techniques that enable simulation of a new network policy with regard to its effects on the network data flow. By enabling a simulation data flow that is parallel and independent from the regular data flow, the present technology can provide optimized network security management with improved efficiency.

Abstract: Systems, methods, and non-transitory computer-readable storage media for synchronizing timestamps of a sensor report to the clock of a device. In one embodiment, the device receives a report from a sensor of a node. The report can include a network activity of the node captured by the sensor and a first timestamp relative to the clock of the node. The device can then determine a second timestamp relative to the clock of the collector indicating receipt of the report by the device and from the sensor at the node. The device can also determine a delta between the first timestamp and the second timestamp, and a communication latency associated with a communication channel between the device and the sensor. Next, the device can adjust the delta based on the communication latency, and generate a third timestamp based on the adjusted delta.

Abstract: A method includes capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data, capturing second data associated with a second packet flow originating from the first host from a second capture agent deployed outside of the first host to yield second flow data and comparing the first flow data and the second flow data to yield a difference. When the difference is above a threshold value, the method includes determining that a hidden process exists and corrective action can be taken.

Abstract: An approach for establishing a priority ranking for endpoints in a network. This can be useful when triaging endpoints after an endpoint becomes compromised. Ensuring that the most critical and vulnerable endpoints are triaged first can help maintain network stability and mitigate damage to endpoints in the network after an endpoint is compromised. The present technology involves determining a criticality ranking and a secondary value for a first endpoint in a datacenter. The criticality ranking and secondary value can be combined to form priority ranking for the first endpoint which can then be compared to a priority ranking for a second endpoint to determine if the first endpoint or the second endpoint should be triaged first.

Abstract: A system and method of detecting polarity inversion in an optical switching circuit is disclosed. The method includes performing a first round of a port verification process on at least two optical ports, transmitting a payload from at least one optical port in the at least two optical ports, determining if the payload was received at a second optical port in the at least two optical ports, assigning a pair of ports to a first group in the case that the predetermined payload was communicated between the pair of ports, and assigning a pair of ports to a second group in the case that the predetermined payload was not communicated between the pair of ports. The method also includes determining that either the first group of ports or the second group of ports has inverted polarity.

Abstract: A system and method of detecting polarity inversion in an optical switching circuit is disclosed. The method includes performing a first round of a port verification process on at least two optical ports, transmitting a payload from at least one optical port in the at least two optical ports, determining if the payload was received at a second optical port in the at least two optical ports, assigning a pair of ports to a first group in the case that the predetermined payload was communicated between the pair of ports, and assigning a pair of ports to a second group in the case that the predetermined payload was not communicated between the pair of ports. The method also includes determining that either the first group of ports or the second group of ports has inverted polarity.

Abstract: In wireless networks where multiple base stations are deployed, handsets may handoff from one base station to the other while in a voice call. In this disclosure a layer-2 hand-off mechanism for cellular systems designed to operate in unlicensed spectrum is described. More specifically a proposed method that does not use any pre-determined thresholds to initiate the hand-offs is disclosed.

Abstract: In wireless networks where multiple base stations are deployed, handsets may handoff from one base station to the other while in a voice call. In this disclosure a layer-2 hand-off mechanism for cellular systems designed to operate in unlicensed spectrum is described. More specifically a proposed method that does not use any pre-determined thresholds to initiate the hand-offs is disclosed.

Abstract: One embodiment of the present invention provides a system that optimizes packet transmissions during a convergecast operation in a convergecast network. During operation, the system receives a request to perform the convergecast operation in the convergecast network. This convergecast network includes a base-station and a plurality of nodes, wherein during the convergecast operation the plurality of nodes communicate packets to the base-station. In response to the request, the system constructs a convergecast-tree, which includes the base-station and the plurality of nodes, based on hop counts from the plurality of nodes to the base-station. Next, the system linearizes the convergecast-tree so that the convergecast-tree contains a plurality of linear branches. The system then schedules packet transmission for each of the linear branches and each node in each branch based on a set of predetermined criteria to obtain a scheduled order.