Abstract: An efficient streaming method and apparatus for detecting hierarchical heavy hitters from massive data streams is disclosed. In one embodiment, the method enables near real time detection of anomaly behavior in networks.

Abstract: Network worms or viruses are a growing threat to the security of public and private networks and the individual computers that make up those networks. A content sifting method if provided that automatically generates a precise signature for a worm or virus that can then be used to significantly reduce the propagation of the worm elsewhere in the network or eradicate the worm altogether. The content sifting method is complemented by a value sampling method that increases the throughput of network traffic that can be monitored. Together, the methods track the number of times invariant strings appear in packets and the network address dispersion of those packets including variant strings. When an invariant string reaches a particular threshold of appearances and address dispersion, the string is reported as a signature for suspected worm.

Abstract: An efficient streaming method and apparatus for detecting hierarchical heavy hitters from massive data streams is disclosed. In one embodiment, the method enables near real time detection of anomaly behavior in networks.

Abstract: A device includes a multistage filter and an elephant trap. The multistage filter has hash functions and an array. The multistage filter is operable to receive a packet associated with a candidate heavy network user and send the packet to the hash functions. The hash functions generate hash function output values corresponding to indices in the array. The elephant trap is connected to the multistage filter. The elephant trap includes a buffer and probabilistic sampling logic. The probabilistic sampling logic is operable to attempt to add information associated with the packet to the buffer a particular percentage of the time based in part on the result of the multistage filter lookup. The buffer is operable to hold information associated with the packet, counter information, and timestamp information.

Abstract: A method and device to process a packet received by a network device is described. The method may comprise analyzing the packet to identify at least one set of a plurality of sets, mapping the at least one set to at least one functional unit, and performing functionality associated with the at least one functional unit. Analyzing the packet to identify at least one of a plurality of sets may comprise determining when the packet includes at least one set identifier, and identifying the at least one set based on the at least one set identifier. A set status identifier may be defined for each set, the set status identifier indicating when set identifiers associated with a corresponding set are detected in the packet. The device may be a router, switch or any other device that processes digital data e.g., packet data including packets headers, payload or the like.

Abstract: Techniques for video encoding and decoding channel switch frames (CSF) to enable acquisition and re/synchronization of the video stream while preserving compression efficiency is provided. Systems and methods to process multimedia data enabling channel switching are presented. The systems generate a CSF with one or more network adaptation layer (NAL) units as a random access point (RAP) frame. Back-to-back frames are transmitted which include the CSF and a non-RAP frame, each having the same frame ID number.

Abstract: A scalable method and apparatus that detects frequent and dispersed invariants is disclosed. More particularly, the application discloses a system that can simultaneously track frequency rates and dispersion criteria of unknown invariants. In other words, the application discloses an invariant detection system implemented in hardware (and/or software) that allows detection of invariants (e.g., byte sequences) that are highly prevalent (e.g., repeating with a high frequency) and dispersed (e.g., originating from many sources and destined to many destinations).

Abstract: A method and apparatus is described to select a representative signature for use in identifying content in a packet stream. The method may comprise receiving the packet stream and obtaining content from a data payload of the packet. Thereafter, a plurality of signatures is identified from the content and a complexity score or a frequency score is determined based on the content. A signature of the plurality of signatures is then selected as the representative signature based on the complexity score or the frequency score.

Abstract: A method and apparatus for detecting malicious attacks is described. The method may comprise obtaining routing information from a packet communicated via a network and maintaining a count of packets associated with a device associated with the routing information. For example, the routing information may a source or destination IP address, a port number, or any other routing information. The device may be classified as a potentially malicious device when the count exceeds a threshold. The count may be incremented when the TCP SYN flag is set and the TCP ACK flag is not set. An embodiment comprises obtaining a source hash of the source IP address and a destination hash of the destination IP address. Thereafter, the source hash and the destination hash may be mapped to multi stage filters. The device associated with the packet may then be selectively categorizing as a suspicious device.

Abstract: A method and apparatus is described for identifying content in a packet. The method may obtain data sample from the packet where the data sample is in a predetermined window at an initial offset point in the packet. For each offset point, a first stage of processing on the data sample may be performed to identify if the data sample corresponds to potentially relevant reference string. A more focused second stage of processing may then be carried out on the data sample to identify if the data sample corresponds to potentially relevant reference string. Thereafter, an even more focused third stage of processing may be carried out on the data sample to obtain a third stage result. If the data sample passes all three stages of processing, a predefined action is identified which is associated with a reference string corresponding to the data sample.

Abstract: A method and apparatus is described to process packets in a network. The method may comprise receiving the packet and determining a length K of the packet. If the length of the packet is less than a reference length M then no analysis may be performed on the packet. However, if the packet length K is not less than M, the method may determine if the packet length K is at least greater than a reference window size WRef. When the packet length is greater than WRef then a window size W for the processing of the packets is set equal to WRef; and the packet length is less than WRef then a window size W for the processing of the packets is set equal to the packet size K. Thereafter, the packet is processed using the window size W.

Abstract: Detecting attacks against computer systems by automatically detecting signatures based on predetermined characteristics of the intrusion. One aspect looks for commonalities among a number of different network messages, and establishes an intrusion signature based on those commonalities. Data reduction techniques, such as a hash function, are used to minimize the amount of resources which are necessary to establish the commonalities. In an embodiment, signatures are created based on the data reduction hash technique. Frequent signatures are found by reducing the signatures using that hash technique. Each of the frequent signatures is analyzed for content, and content which is spreading is flagged as being a possible attack. Additional checks can also be carried out to look for code within the signal, to look for spam, backdoors, or program code.