Abstract: A traffic-monitoring system that monitors encrypted traffic exchanged between IP addresses used by devices and a network, and further receives the user-action details that are passed over the network. By correlating between the times at which the encrypted traffic is exchanged and the times at which the user-action details are received, the system associates the user-action details with the IP addresses. In particular, for each action specified in the user-action details, the system identifies one or more IP addresses that may be the source of the action. Based on the IP addresses, the system may identify one or more users who may have performed the action. The system may correlate between the respective action-times of the encrypted actions and the respective approximate action-times of the indicated actions. The system may hypothesize that the indicated action may correspond to one of the encrypted actions having these action-times.

Abstract: A monitoring system that receives messages that are exchanged with the application server. Relationships between users are posited in response to the times at which the messages are received. A relationship between two users may be posited in response to receiving, at approximately the same time, two messages from the application server that are destined, respectively, for the two users. The near-simultaneous receipt of the two messages indicates that the two messages were sent from the server at approximately the same time, which, in turn, indicates that the two messages may correlate with one another. Further indication of a correlation between the messages, which may increase the level of confidence with which the relationship between the two users is posited, may be found by examining the respective sizes of the messages, which indicate the message types.

Abstract: Systems and methods for passive monitoring of computer communication that does not require performing any decryption. A monitoring system receives the traffic exchanged with each relevant application server, and identifies, in the traffic, sequences of messages—or “n-grams”—that appear to belong to a communication session between a pair of users. Subsequently, based on the numbers and types of identified n-grams, the system identifies each pair of users that are likely to be related to one another via the application, in that these users used the application to communicate (actively and/or passively) with one another. The system may identify those sequences of messages that, by virtue of the sizes of the messages in the sequence, and/or other properties of the messages that are readily discernable, indicate a possible user-pair relationship.

Abstract: A monitoring system that receives messages that are exchanged with the application server. Relationships between users are posited in response to the times at which the messages are received. A relationship between two users may be posited in response to receiving, at approximately the same time, two messages from the application server that are destined, respectively, for the two users. The near-simultaneous receipt of the two messages indicates that the two messages were sent from the server at approximately the same time, which, in turn, indicates that the two messages may correlate with one another. Further indication of a correlation between the messages, which may increase the level of confidence with which the relationship between the two users is posited, may be found by examining the respective sizes of the messages, which indicate the message types.

Abstract: A system for identifying related pairs of information items. In a context, monitoring devices acquire various information items by monitoring people over time. Such information items may include imaged features of the people, alphanumeric identifiers such as IMSIs, and/or the certain types of events. The system identifies, based on the monitored information, indications of relatedness, each of which indicates that a respective pair of the information items may be related to one another with respect to certain predefined criteria. For example, the processor may identify instances of copresence, in each of which a pair of information items were exhibited at approximately the same time and at approximately the same location. In response to identifying a sufficient number of indications of relatedness for any particular pair, the processor may hypothesize that the pair are related to one another.

Abstract: Methods and systems for monitoring activity on a local area networks (LAN). In particular, embodiments described herein provide systems and methods for associating packets with the devices from which they were communicated, despite the obfuscatory behavior of any network address translators (NAT). A processor first receives packets that were collectively communicated, by a plurality of devices, via a NAT-serviced LAN. The processor aggregates the packets into multiple packet aggregations on a per device basis. Fields that are contained in the respective packet headers of the packets are used. The packet aggregations may be grouped. The embodiments use unencrypted lower-level information (including, for example, IPIDs and domain names), such that aggregation and grouping may be successfully performed even if information in the application layer is encrypted.

Abstract: Methods and systems for keyword spotting, i.e., for identifying textual phrases of interest in input data. The input data may be communication packets exchanged in a communication network. A keyword spotting system holds a dictionary (or dictionaries) of textual phrases for searching input data. The input data and the patterns are assigned to multiple different pattern matching algorithms. For example, a share of the traffic is handled by one algorithm and smaller traffic shares may be handled by the others. The system monitors the algorithms performance as they process the data to search for a match. The ratio of traffic splitting among the algorithms is dynamically reassigned or adjusted to maximize the overall performance.

Abstract: Methods and systems for range matching. The system holds a definition of one or more ranges of Internet Protocol (IP) addresses. The definition may specify any desired number of ranges of any suitable size, and some ranges may overlap one another or be contained in one another. The definition may also specify certain returned values and/or relative priorities for the various ranges. In a pre-processing phase, a hash table that is subsequently queried with addresses to be range-matched. The hash table may be updated at run-time. During operation, the system receives addresses (e.g., extracts addresses from monitored communication traffic) and identifies by querying the hash table, for each address, whether the address falls within any of the ranges.

Abstract: Systems and methods for spotting keywords in data packets are provided. In particular, input data is received to be searched for occurrences of a set of patterns, the input data being divided into multiple segments. Then the input data and the patterns are assigned to first and second pattern matching algorithms, the first pattern matching algorithm is configured to search only within each of the segments, and the second pattern matching algorithm is configured to search across boundaries between adjacent segments. Then the input data is searched using the first and second pattern matching algorithms.

Abstract: Methods and systems for monitoring activity on a local area networks (LAN). In particular, embodiments described herein provide systems and methods for associating packets with the devices from which they were communicated, despite the obfuscatory behavior of any network address translators (NAT). A processor first receives packets that were collectively communicated, by a plurality of devices, via a NAT-serviced LAN. The processor aggregates the packets into multiple packet aggregations on a per device basis. Fields that are contained in the respective packet headers of the packets are used. The packet aggregations may be grouped. The embodiments use unencrypted lower-level information (including, for example, IPIDs and domain names), such that aggregation and grouping may be successfully performed even if information in the application layer is encrypted.

Abstract: An apparatus and techniques for constructing and utilizing a “dynamic dictionary” that is not a compiled dictionary, and therefore does not need to be recompiled in order to be updated. The dynamic dictionary includes respective data structures that represent (i) a management automaton that includes a plurality of management nodes, and (ii) a runtime automaton that is derived from the management automaton and includes a plurality of runtime nodes. The runtime automaton may be used to search input data, such as communication traffic over a network, for keywords of interest, while the management automaton manages the addition of keywords to the dynamic dictionary. Typically, at least two (e.g., exactly two) such dynamic dictionaries are used in combination with a static dictionary.

Abstract: A system for storing document collections in a manner that facilitates efficient querying. Each document vector is hashed, by applying a suitable hash function to the components of the vector. The hash function maps the vector to a particular hash value, corresponding to a particular hyperbox in the multidimensional space to which the vectors belong. The vector, or a pointer to the vector, is then stored in a hash table in association with the vector's hash value. Subsequently, given a document of interest, documents similar to the document of interest may be found by hashing the vector of the document of interest, and then returning the vectors that are associated, in the hash table, with the resulting hash value.

Abstract: Methods and systems for range matching. The system holds a definition of one or more ranges of Internet Protocol (IP) addresses. The definition may specify any desired number of ranges of any suitable size, and some ranges may overlap one another or be contained in one another. The definition may also specify certain returned values and/or relative priorities for the various ranges. In a pre-processing phase, a hash table that is subsequently queried with addresses to be range-matched. The hash table may be updated at run-time. During operation, the system receives addresses (e.g., extracts addresses from monitored communication traffic) and identifies by querying the hash table, for each address, whether the address falls within any of the ranges.

Abstract: An apparatus and techniques for constructing and utilizing a “dynamic dictionary” that is not a compiled dictionary, and therefore does not need to be recompiled in order to be updated. The dynamic dictionary includes respective data structures that represent (i) a management automaton that includes a plurality of management nodes, and (ii) a runtime automaton that is derived from the management automaton and includes a plurality of runtime nodes. The runtime automaton may be used to search input data, such as communication traffic over a network, for keywords of interest, while the management automaton manages the addition of keywords to the dynamic dictionary. Typically, at least two (e.g., exactly two) such dynamic dictionaries are used in combination with a static dictionary.

Abstract: An apparatus and techniques for constructing and utilizing a “dynamic dictionary” that is not a compiled dictionary, and therefore does not need to be recompiled in order to be updated. The dynamic dictionary includes respective data structures that represent (i) a management automaton that includes a plurality of management nodes, and (ii) a runtime automaton that is derived from the management automaton and includes a plurality of runtime nodes. The runtime automaton may be used to search input data, such as communication traffic over a network, for keywords of interest, while the management automaton manages the addition of keywords to the dynamic dictionary. Typically, at least two (e.g., exactly two) such dynamic dictionaries are used in combination with a static dictionary.

Abstract: An apparatus and techniques for constructing and utilizing a “dynamic dictionary” that is not a compiled dictionary, and therefore does not need to be recompiled in order to be updated. The dynamic dictionary includes respective data structures that represent (i) a management automaton that includes a plurality of management nodes, and (ii) a runtime automaton that is derived from the management automaton and includes a plurality of runtime nodes. The runtime automaton may be used to search input data, such as communication traffic over a network, for keywords of interest, while the management automaton manages the addition of keywords to the dynamic dictionary. Typically, at least two (e.g., exactly two) such dynamic dictionaries are used in combination with a static dictionary.

Abstract: Methods and systems for keyword spotting, i.e., for identifying textual phrases of interest in input data. In the embodiments described herein, the input data comprises communication packets exchanged in a communication network. The disclosed keyword spotting techniques can be used, for example, in applications such as Data Leakage Prevention (DLP), Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS), and spam e-mail detection. A keyword spotting system holds a dictionary of textual phrases for searching input data. In a communication analytics system, for example, the dictionary defines textual phrases to be located in communication packets—such as e-mail addresses or Uniform Resource Locators (URLs).

Abstract: A monitoring system that receives messages that are exchanged with the application server. Relationships between users are posited in response to the times at which the messages are received. A relationship between two users may be posited in response to receiving, at approximately the same time, two messages from the application server that are destined, respectively, for the two users. The near-simultaneous receipt of the two messages indicates that the two messages were sent from the server at approximately the same time, which, in turn, indicates that the two messages may correlate with one another. Further indication of a correlation between the messages, which may increase the level of confidence with which the relationship between the two users is posited, may be found by examining the respective sizes of the messages, which indicate the message types.

Abstract: A monitoring system that receives messages that are exchanged with the application server. Relationships between users are posited in response to the times at which the messages are received. A relationship between two users may be posited in response to receiving, at approximately the same time, two messages from the application server that are destined, respectively, for the two users. The near-simultaneous receipt of the two messages indicates that the two messages were sent from the server at approximately the same time, which, in turn, indicates that the two messages may correlate with one another. Further indication of a correlation between the messages, which may increase the level of confidence with which the relationship between the two users is posited, may be found by examining the respective sizes of the messages, which indicate the message types.

Abstract: Embodiments that are described herein provide improved methods and systems for analyzing network traffic. The disclosed embodiments enable an analytics system to perform complex processing to only new, first occurrences of received content, while refraining from processing duplicate instances of that content. In an embodiment, the analytics results regarding the first occurring content are reported and cached in association with the content. For any duplicate instance of the content, the analytics results are retrieved from the cache without re-processing of the duplicate content. When using the disclosed techniques, the system still processes all first occurring content but not duplicate instances of content that was previously received and processed. In the embodiments described herein, input data comprises communication packets exchanged in a communication network.