Abstract: A method is provided for collecting and processing information of a target who is a user of a communication network. The method includes obtaining a first identifier of the target, accessing, based on a handle of the first identifier, a first public webpage associated with the target in a first Internet site identified based on a domain of the first identifier, extracting content of the first public webpage for including in target data of the target, obtaining a third identifier of the target, intercepting a document associated with the target from a private portion of communication network traffic identified based on a domain of the third identifier, extracting content of the document for including in the target data, determining a second identifier by searching the target data, associating the second identifier with the target based on a pre-determined criterion, and collecting information of the target based on the second identifier.

Abstract: A method for identifying a botnet in a network, including analyzing historical network data using a pre-determined heuristic to determine values of a connectivity graph based feature in the historical network data, obtaining a ground truth data set having labels assigned to data units in the historical network data identifying known malicious nodes in the network, analyzing the historical network data and the ground truth data set using a machine learning algorithm to generate a model representing the labels as a function of the values of the connectivity graph based feature, analyzing real-time network data using the pre-determined heuristic to determine a value of the connectivity graph based feature for a data unit in the real-time network data, assigning a label to the data unit by applying the model to the value of the connectivity graph based feature, and categorizing the data unit as associated with the botnet based on the label.

Abstract: A method for identifying a botnet in a network, including analyzing historical network data using a pre-determined heuristic to determine values of a feature in the historical network data, obtaining a ground truth data set having labels assigned to data units in the historical network data identifying known malicious nodes in the network, analyzing the historical network data and the ground truth data set using a machine learning algorithm to generate a model representing the labels as a function of the values of the feature, analyzing real-time network data using the pre-determined heuristic to determine a value of the feature for a data unit in the real-time network data, assigning a label to the data unit by applying the model to the value of the feature, and categorizing the data unit as associated with the botnet based on the label.

Abstract: A method and system to detect botnet beaconing event based on a beacon detection rule set to generate a beacon alert, which is in turn used to trigger an elevated exfiltration detection activity by reducing various thresholds in an exfiltration detection rule set.

Abstract: Embodiments of the invention address the problem of detecting bots in network traffic based on a classification model learned during a training phase using machine learning algorithms based on features extracted from network data associated with either known malicious or known non-malicious client and applying the learned classification model to features extracted in real-time from current network data. The features represent communication activities between the known malicious or known non-malicious client and a number of servers in the network.

Abstract: The present invention relates to a method of profiling an Internet endpoint associated with an Internet Protocol (IP) address, an IP prefix, or a domain name, the method includes generating a profiling rule using an Internet search engine, obtaining a search result by inputting the IP address, the IP prefix, or the domain name to the Internet search engine, and classifying the Internet endpoint based on the search result using the profiling rule.

Abstract: The invention relates to a method for profiling VoIP activity in network traffic. The method includes obtaining a plurality of audio packets from a plurality of packets in the network traffic by analyzing a plurality of parameter sets based on a first pre-determined criterion, wherein each of the plurality of parameter sets corresponds to a packet of the plurality of packets and comprises a packet size and a packet arrival time associated with a corresponding packet of the plurality of packets, generating a count of an IP address by counting at least a portion of the plurality of audio packets, wherein each packet of the portion of the plurality of audio packets comprises the IP address, and identifying an endpoint corresponding to the IP address as a VoIP server and identifying the portion of the plurality of audio packets as VoIP activity associated with the VoIP server when the count exceeds a pre-determined threshold.

Abstract: With the widespread adoption of SIP-based VoIP, understanding the characteristics of SIP traffic behavior is critical to problem diagnosis and security protection of VoIP services. A general methodology is provided for profiling SIP-based VoIP traffic behavior at several levels: SIP server host, server entity (e.g., registrar and call proxy) and individual user levels. Using SIP traffic traces captured in a production VoIP network, the characteristics of SIP-based VoIP traffic behavior in an operational environment is illustrated and the effectiveness of the general profiling methodology is demonstrated. In particular, the profiling methodology identifies anomalies due to performance problems and/or implementation flaws through a case study. The efficacy of the methodology in detecting potential VoIP attacks is also demonstrated through a test-bed experimentation.

Abstract: A method for content transmission in a cellular network having a collection of cellular zones. The method includes obtaining a statistical trace associated with the cellular network, comprising attributes of historical content chunks received from prior users of the cellular network and trajectories of the prior users moving within the cellular zones, analyzing the statistical trace to identify a portion of the cellular zones as drop zones, allocating drop zone transmission bandwidth to the drop zones based on a pre-determined criterion, receiving, subsequent to the allocating, a transmission request for a content chunk from a mobile device of a user outside the drop zones, delaying transmission of the content chunk while the mobile device remains outside of the drop zones, and transmitting the content chunk in response to detecting the mobile device within the drop zones.

Abstract: A method for detecting automatically generated malicious domain names in a network. The method includes identifying a plurality of domain name service (DNS) queries in the network, wherein the plurality of DNS queries share a common attribute, analyzing, using a central processing unit (CPU) of a computer, the plurality of DNS queries to identify a plurality of alphanumeric elements embedded in a set of domain names associated with the plurality of DNS queries, analyzing, using the CPU, the plurality of alphanumeric elements to determine a distribution metric of the set of domain names, and generating an alert based on the distribution metric according to a pre-determined criterion.

Abstract: A method for providing location based service in a cellular data service network (CDSN) by analyzing accounting data packets of the CDSN to determine a user mobility pattern, classifying application data packets of the CDSN into pre-determined application categories, analyzing the accounting data packets and the application data packets to associate the user mobility pattern and one of the pre-determined application category, comparing a newly received accounting data packet and the user mobility pattern to identify a match, and providing, in response to identifying the match, the location based service to a user based on the pre-determined application category.

Abstract: The present invention relates to a method for containing propagation of a malware in a communication network having a plurality of communication nodes.

Abstract: With the widespread adoption of SIP-based VoIP, understanding the characteristics of SIP traffic behavior is critical to problem diagnosis and security protection of VoIP services. A general methodology is provided for profiling SIP-based VoIP traffic behavior at several levels: SIP server host, server entity (e.g., registrar and call proxy) and individual user levels. Using SIP traffic traces captured in a production VoIP network, the characteristics of SIP-based VoIP traffic behavior in an operational environment is illustrated and the effectiveness of the general profiling methodology is demonstrated. In particular, the profiling methodology identifies anomalies due to performance problems and/or implementation flaws through a case study. The efficacy of the methodology in detecting potential VoIP attacks is also demonstrated through a test bed experimentation.

Abstract: The present invention relates to a method of compressing data in a network, the data comprising a plurality of packets each having a header and a payload, the header comprising a plurality of header fields, the method comprising generating a classification tree based on at least a portion of the plurality of header fields, determining a inter-packet compression plan based on the classification tree, and performing inter-packet compression in real time for each payload of at least a first portion of the plurality of packets, the inter-packet compression being performed according to at least a portion of the inter-packet compression plan.

Abstract: The present invention relates to a method of profiling an Internet endpoint associated with an Internet Protocol (IP) address, the method includes generating a profiling rule using an Internet search engine, obtaining a search result by inputting the IP address to the Internet search engine, and classifying the Internet endpoint based on the search result using the profiling rule.

Abstract: The present invention relates to a method of detecting invalid border gateway protocol (BGP) route in a network, wherein network traffic is routed based at least on BGP announcements from one or more BGP routers, the method comprising obtaining a plurality of routing information objects from the BGP announcements during an observation window, each routing information object comprising at least one selected from a group consisting of an prefix-origin autonomous system (AS) association and a directed AS-link, identifying a transient routing information object having at least one selected from a group consisting of a up time less than a first pre-determined threshold or a lifespan less than a second pre-determined threshold, defining a valid routing information object set by eliminating the transient routing information object from the plurality of routing information objects, and detecting a BGP route from the BGP announcements as invalid based on the valid routing information object set.

Abstract: The invention relates to a method for generating a prefix hijacking alert in a network, wherein a plurality of network traffic flows are routed based at least on a plurality of prefix announcements from one or more Border Gateway Protocol (BGP) router, the method comprises identifying an anomalous prefix from the plurality of prefix announcements, identifying a network traffic anomaly from the plurality of network traffic flows, and correlating the anomalous prefix and the network traffic anomaly to generate the prefix hijacking alert.

Abstract: A method and an apparatus is provided that is efficient in detecting network virus and worms while using only the layer-4 information that is easily extracted from core routers and also be scalable when layer-7 information is available. Entropy analysis is used to identify anomalous activity at the flow level. Thereafter, only the contents of suspicious flows are analyzed with fingerprinting extraction. By doing so, the present invention brings together the characteristics of being deployable for real-time high data to rate links and the efficiency and reliability of content fingerprinting techniques.

Abstract: With the widespread adoption of SIP-based VoIP, understanding the characteristics of SIP traffic behavior is critical to problem diagnosis and security protection of VoIP services. A general methodology is provided for profiling SIP-based VoIP traffic behavior at several levels: SIP server host, server entity (e.g., registrar and call proxy) and individual user levels. Using SIP traffic traces captured in a production VoIP network, the characteristics of SIP-based VoIP traffic behavior in an operational environment is illustrated and the effectiveness of the general profiling methodology is demonstrated. In particular, the profiling methodology identifies anomalies due to performance problems and/or implementation flaws through a case study. The efficacy of the methodology in detecting potential VoIP attacks is also demonstrated through a test bed experimentation.