Abstract: The described technology is generally directed towards methods for data latency evaluation. The techniques disclosed herein can provide useful information about when a data consumer can expect to receive data. Methods can create and compare data latency cumulative probability distributions comprising probabilities associated with different latency values, at various different levels of completeness.

Abstract: The described technology is generally directed towards methods for data latency evaluation. The techniques disclosed herein can provide useful information about when a data consumer can expect to receive data. Methods can create and compare data latency cumulative probability distributions comprising probabilities associated with different latency values, at various different levels of completeness.

Abstract: The described technology is generally directed towards methods for data latency evaluation. The techniques disclosed herein can provide useful information about when a data consumer can expect to receive data. Methods can create and compare data latency cumulative probability distributions comprising probabilities associated with different latency values, at various different levels of completeness.

Abstract: A system for detecting a remotely controlled e-mail spam host. The system includes an E-mail spammer detection unit and a host traffic profiling unit. The E-mail spammer detection unit identifies E-mail Spammers based on SMTP traffic characteristics. The host profiling unit extracts traffic components from the plurality of Internet traffic associated with an E-mail Spammer; interprets the extracted traffic components and determines whether the E-mail Spammer is a compromised host. The system may also include a botnet controller detection unit that analyzes traffic associated with compromised E-mail Spammers and identifies the botnet Controller remotely controlling the compromised E-mail Spammer.

Abstract: Methods for providing alerts in a network are disclosed. Some methods include collecting network traffic data corresponding to multiple subsets of network addresses during a predefined time interval. A suspect subset of the subsets of network addresses that corresponds to anomalous network activity may be identified based on the network traffic data and using at least one of multiple anomaly detection metrics. A source network address within the suspect subset of network addresses that corresponds to the anomalous network activity is identified. An alert corresponding to the source network address may be generated.

Abstract: A method and system for determining whether an IP address is part of a bot-network are provided. The IP-address-aggregate associated with the IP address of an e-mail sender is determined. The IP-address-aggregate is associated with an IP-address-aggregate-category based on the current SMTP traffic characteristics of the IP-address-aggregate and the known SMTP traffic characteristics of an IP-address-aggregate-category. A bot-likelihood score of the IP-address-aggregate-category is then associated with IP-address-aggregate. IP-address-aggregate-categories can be established based on historical SMTP traffic characteristics of the IP-address-aggregates. The IP-address-aggregates are grouped based on SMTP characteristics, and the IP-address-aggregate-categories are defined based on a selection of IP-address-aggregates with similar SMTP traffic characteristics that are diagnostic of spam bots vs. non-botnet-controllers spammers.

Abstract: Methods for providing alerts in a network are disclosed. Some methods include collecting network traffic data corresponding to multiple subsets of network addresses during a predefined time interval. A suspect subset of the subsets of network addresses that corresponds to anomalous network activity may be identified based on the network traffic data and using at least one of multiple anomaly detection metrics. A source network address within the suspect subset of network addresses that corresponds to the anomalous network activity is identified. An alert corresponding to the source network address may be generated.

Abstract: A method and system for determining whether an IP address is part of a bot-network are provided. The IP-address-aggregate associated with the IP address of an e-mail sender is determined. The IP-address-aggregate is associated with an IP-address-aggregate-category based on the current SMTP traffic characteristics of the IP-address-aggregate and the known SMTP traffic characteristics of an IP-address-aggregate-category. A bot-likelihood score of the IP-address-aggregate-category is then associated with IP-address-aggregate. IP-address-aggregate-categories can be established based on historical SMTP traffic characteristics of the IP-address-aggregates. The IP-address-aggregates are grouped based on SMTP characteristics, and the IP-address-aggregate-categories are defined based on a selection of IP-address-aggregates with similar SMTP traffic characteristics that are diagnostic of spam bots vs. non-botnet-controllers spammers.

Abstract: A system and method for detecting Email spammers from unknown SMTP Clients using the unknown SMTP Client's SMTP traffic information e.g. byte size and variability data. The system and method includes a byte size and variability traffic flow model and a classification system. The traffic flow model may be based upon a standard deviation of byte size and variability of traffic flows for a plurality of legitimate SMTP Clients and for a plurality of Spammer SMTP Clients. The classification system then classifies an Unknown SMTP Client as an Email Spammer based on a comparison between the byte size and the variability of the Unknown SMTP Client's traffic flows with the byte size and variability traffic flow model.

Abstract: A system for detecting a remotely controlled e-mail spam host. The system includes an E-mail spammer detection unit and a host traffic profiling unit. The E-mail spammer detection unit identifies E-mail Spammers based on SMTP traffic characteristics. The host profiling unit extracts traffic components from the plurality of Internet traffic associated with an E-mail Spammer; interprets the extracted traffic components and determines whether the E-mail Spammer is a compromised host. The system may also include a botnet controller detection unit that analyzes traffic associated with compromised E-mail Spammers and identifies the botnet Controller remotely controlling the compromised E-mail Spammer.