Abstract: Systems, methods, and computer-readable media are provided for automatically downloading and launching a new version of software package on components in a network environment. In some examples, an upgrade server of a network environment keeps a copy of all versions of software packages running on nodes or sensors of the network environment, identifications of corresponding nodes or sensors, and public keys associated with the software packages. The upgrade server can authenticate a new version of a software package using a two-step process.

Abstract: The disclosed technology relates to intent driven network management. A system is configured to maintain an inventory store comprising records for a set of network entities in a network, wherein each network entity in the set of network entities is associated with a record in the inventory store. The system receives a user intent statement comprising an action and a flow filter representing network data flows on which the action is to be applied and queries, based on the flow filter, the inventory store to identify a plurality of network entities in the set of network entities to which the user intent statement applies. The system generates a plurality of network policies that implement the user intent statement based on the plurality of network entities and the action and enforces the plurality network policies.

Abstract: The disclosed technology relates to a network agent for reporting to a network policy system. A network agent includes an agent enforcer and an agent controller. The agent enforcer is configured to implementing network policies on the system, access data associated with the implementation of the network policies on the system, and transmit, via an interprocess communication, the data to the agent controller. The agent controller is configured to generate a report including the data and transmit the report to a network policy system.

Abstract: The disclosed technology relates to assigning network agents to communication modules. A network policy system is configured to assign network agents to buckets based on an agent identifier of each agent. The network policy system can assign buckets to communication modules. When a failed communication module is detected, the network policy system can reassigning buckets assigned to the failed communication module to operational communication modules.

Abstract: The disclosed technology relates to a network agent for generating platform specific network policies. A network agent is configured to receive a platform independent network policy from a network policy system, determine implementation characteristics of the network entity, generate platform specific policies from the platform independent network policy based on the implementation characteristics of the network entity, and implement the platform specific policies on the network entity.

Abstract: An example method includes a sensor detecting multiple packets of a flow during a specified total time period (e.g., a reporting time period). The total time period can be subdivided into multiple time periods. The sensor can analyze the detected packets to determine an amount of network utilization for each of the time periods. The sensor can then generate a flow summary based on the network utilization and the flow and send the flow summary to an analytics engine. Multiple other sensors can do similarly for their respective packets and flows. The analytics engine can receive the flow summaries from the various sensors and determine a correspondence between flow with high network utilization at a specific time period and a node or nodes. These nodes that experienced multiple flows with high network utilization for a certain period of time can be identified as experiencing a microburst.

Abstract: Described are techniques for establishing communication between media devices and enabling portions of content to be provided using one or more of the media devices. Data indicative of the transport functionality for the media devices and services available on the media devices may be used to determine one or more media devices suitable for the presentation of content. Control information may be provided to the media device(s) to control presentation of the portions of the content.

Abstract: An electronic device has a first and second radio, each being compatible with at least two wireless local area network (LAN) standards and one or both being compatible with at least one wireless personal area network (WPAN) standard. The electronic device includes a radio control arrangement that establishes mutually non-interfering communication links between (i) one or both of the first and second radio and (ii) at least two remote devices within a wireless LAN that includes the electronic device and the at least two remote devices. The at least two remote devices include at least one network access point and at least a second electronic device; the mutually non-interfering communication links including a network communication link between the first or second radio and the access point, and a peer-to-peer communication link between the first radio or the second radio and the second electronic device.

Abstract: A virtualized computing system including software sensors captures network data from one or more traffic flows the sensors. The captured network data from a given sensor indicates one or more traffic flows detected by the given sensor. The received captured network data is analyzed to identify, for each respective sensor, a first group of sensors, a second group of sensors, and a third group of sensors. All traffic flows observed by the first group of sensors are also observed by the second group of sensors. All traffic flows observed by the second group of sensors are also observed by the third group of sensors. A location of each respective sensor relative to other sensors within the virtualized computing system is determined based upon whether the respective sensor belongs to the first group of sensors, the second group of sensors, or the third group of sensors.

Abstract: Methods, systems, and computer readable media are provided for determining, in a virtualized network system, a relationship of a sensor relative to other sensors. In a virtualized computing system in which a plurality of software sensors are deployed and in which there are one or more traffic flows, captured network data is received from the plurality of sensors, the captured network data from a given sensor of the plurality of sensors indicating one or more traffic flows detected by the given sensor. The received captured network data is analyzed to identify, for each respective sensor, a first group of sensors, a second group of sensors, and a third group of sensors, wherein all traffic flows observed by the first group of sensors are also observed by the second group of sensors, and all traffic flows observed by the second group of sensors are also observed by the third group of sensors.

Abstract: Systems, methods, and computer-readable media for managing compromised sensors in multi-tiered virtualized environments. A method includes determining a lineage for a process within the network and then evaluating, through knowledge of the lineage, the source of the command that initiated the process. The method includes capturing data from a plurality of capture agents at different layers of a network, each capture agent of the plurality of capture agents configured to observe network activity at a particular location in the network, developing, based on the data, a lineage for a process associated with the network activity and, based on the lineage, identifying an anomaly within the network.

Abstract: A method includes capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data, capturing second data associated with a second packet flow originating from the first host from a second capture agent deployed on a second host to yield second flow data and comparing the first flow data and the second flow data to yield a difference. When the difference is above a threshold value, the method includes determining that the second packet flow was transmitted by a component that bypassed an operating stack of the first host or a packet capture agent at the device to yield a determination, detecting that hidden network traffic exists, and predicting a malware issue with the first host based on the determination.

Abstract: An example method includes detecting, using sensors, packets throughout a datacenter. The sensors can then send packet logs to various collectors which can then identify and summarize data flows in the datacenter. The collectors can then send flow logs to an analytics module which can identify the status of the datacenter and detect an attack.

Abstract: Systems, methods, and computer-readable media for annotating process and user information for network flows. In some embodiments, a capturing agent, executing on a first device in a network, can monitor a network flow associated with the first device. The first device can be, for example, a virtual machine, a hypervisor, a server, or a network device. Next, the capturing agent can generate a control flow based on the network flow. The control flow may include metadata that describes the network flow. The capturing agent can then determine which process executing on the first device is associated with the network flow and label the control flow with this information. Finally, the capturing agent can transmit the labeled control flow to a second device, such as a collector, in the network.

Abstract: Systems, methods, and computer-readable media for updating configurations in sensors deployed in multi-layer virtualized environments. In some examples, a system can track information of sensors and collectors in the network. In response to determining that a specific collector becomes unavailable (e.g., the specific collector is down, offline or becomes unsupported), the system can determine affected sensors corresponding to the specific collector, determine a new collector among active collectors of the network for each of the affected sensors, and dynamically update configuration and settings of the affected sensors to maintain proper collector-to-sensor mappings and other settings on the affected sensors.

Abstract: Systems, methods, and computer-readable media are provided for automatically downloading and launching a new version of software package on components in a network environment. In some examples, an upgrade server of a network environment keeps a copy of all versions of software packages running on nodes or sensors of the network environment, identifications of corresponding nodes or sensors, and public keys associated with the software packages. The upgrade server can authenticate a new version of a software package using a two-step process.

Abstract: Systems, methods, and computer-readable media for detecting sensor deployment characteristics in a network. In some embodiments, a system can run a capturing agent deployed on a virtualization environment of the system. The capturing agent can query the virtualization environment for one or more environment parameters, and receive a response from the virtualized environment including the one or more environment parameters. Based on the one or more environment parameters, the capturing agent can determine whether the virtualization environment where the capturing agent is deployed is a hypervisor or a virtual machine. The capturing agent can also determine what type of software switch is running in the virtualized environment.

Abstract: Managing a network environment to identify spoofed packets is disclosed. A method includes analyzing, via a first capture agent, packets processed by a first environment in a network associated with a first host, and analyzing, via a second capture agent, packets processed by a second environment in the network associated with a second host. The method includes collecting the first data and the second data at a collector and generating a topological map of the network and a history of network activity associated with the first environment and the second environment. The method includes extracting network data from a packet and comparing the extracted network data with stored network data in the database. When the comparison indicates that the extracted network data does not match the stored network data (i.e., the reported source does not match an expected source for the packet), determining that the packet is a spoofed packet.

Abstract: A method includes capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data, capturing second data associated with a second packet flow originating from the first host from a second capture agent deployed outside of the first host to yield second flow data and comparing the first flow data and the second flow data to yield a difference. When the difference is above a threshold value, the method includes determining that a hidden process exists and corrective action can be taken.

Abstract: Systems, methods, and non-transitory computer-readable storage media for synchronizing timestamps of a sensor report to the clock of a device. In one embodiment, the device receives a report from a sensor of a node. The report can include a network activity of the node captured by the sensor and a first timestamp relative to the clock of the node. The device can then determine a second timestamp relative to the clock of the collector indicating receipt of the report by the device and from the sensor at the node. The device can also determine a delta between the first timestamp and the second timestamp, and a communication latency associated with a communication channel between the device and the sensor. Next, the device can adjust the delta based on the communication latency, and generate a third timestamp based on the adjusted delta.