Arbor Networks, Inc. Patent applications |
Patent application number | Title | Published |
20160134503 | PERFORMANCE ENHANCEMENTS FOR FINDING TOP TRAFFIC PATTERNS - A method for network traffic characterization is provided. Flow data records are acquired associated with a security alert signature. Unidimensional traffic clusters are generated based on the acquired data. A Bloom filter is populated with the acquired flow data records. Clusters of interest are identified from the generated unidimensional traffic clusters. The identified clusters of interest are compressed into a compressed set. A determination is made whether a multidimensional processing of the acquired flow data needs to be performed based on a priority associated with the alert signature. A multidimensional lattice corresponding to the unidimensional traffic clusters is generated. The multidimensional lattice is traversed and for each multidimensional node under consideration a determination is made if the Bloom filter contains flow records matching the multidimensional node under consideration. A determination is made if the unidimensional node corresponding to the multidimentional node is included in the compressed set of unidimensional nodes. | 05-12-2016 |
20160088013 | FILTERING LEGITIMATE TRAFFIC ELEMENTS FROM A DOS ALERT - A method for monitoring traffic flow in a network is provided. A network monitoring probe monitors one or more network traffic flow parameters to detect a denial of service attack. In response to detecting the denial of service attack, a first set of data representing the denial of service attack alert is displayed. Filtering criteria are received from a user. The filtering criteria include at least one of the network flow parameters identified as legitimate network traffic. A second set of data is generated and displayed based on the filtering criteria. | 03-24-2016 |
20160065444 | ANOMALY DETECTION BASED ON COMBINATIONS OF CAUSE VALUE, MESSAGE TYPE, RESPONSE TIME (GTP-C) - A method for monitoring control traffic in a network is provided. A network monitoring probe passively monitors one or more network performance metrics related to control traffic. A plurality of threshold values associated with the one or more network performance metrics is received from a user. An alert notification message is sent to the user via an alert engine, in response to determining that at least one of the plurality of threshold values has been reached by the control traffic. | 03-03-2016 |
20150312272 | PROTECTING COMPUTING ASSETS FROM RESOURCE INTENSIVE QUERYING ATTACKS - A method and system for managing data traffic and protecting computing assets. The method and system includes intercepting queries and messages, such as EDNS0 queries, and sending probe queries and reply queries to the originating computing device to determine whether the originating computing device may be sufficiently validated so as to justify forwarding resource-intensive queries and messages to the targeted computing device. | 10-29-2015 |
20150163241 | PROTECTING COMPUTING ASSETS FROM SEGMENTED HTTP ATTACKS - A method and system for managing data traffic and protecting computing assets. The method and system includes analyzing HTTP requests to determine if the HTTP requests are overly segmented, and, if the HTTP request is overly segmented, blocking and/or black-listing the malevolent communications and computing device. The analysis to determine if an HTTP request is overly segmented includes comparing the packet's size to a threshold, identifying the packet's content or lack thereof, identifying whether the packet is the last packet in a communication, and identifying whether the packet ends with the ā\nā ASCII character. | 06-11-2015 |
20150138985 | MANAGING DATA TRAFFIC ON A CELLULAR NETWORK - A method and system for managing data traffic on a cellular network. The method and system includes detecting that an internet service is experiencing excessive amounts of data traffic from a cellular network. Sending, to a cellular device on the cellular network, a modified IP address for the internet service, wherein the modified IP address points away from the internet service. The modified IP address is sent in response to detecting that the internet service is experiencing excessive amounts of traffic from a cellular network and detecting a DNS query from the cellular device for the internet service. | 05-21-2015 |
20140380457 | ADJUSTING DDOS PROTECTION - A system, method and computer readable storage medium that blocks network traffic exceeding a user selected value. Received data packets are analyzed to determine volumetric traffic flow so as to graphical represent the determined volumetric traffic flow for the received data packets on a display device. A countermeasure filter is provided having at least one traffic setting operational to block data packet traffic flow from the one or more external devices when the volumetric data packet flow exceeds a prescribed threshold value. The prescribed threshold value is determined by a user positioned indicator on a display device graphically representing the determined volumetric traffic flow. | 12-25-2014 |
20140344931 | SYSTEMS AND METHODS FOR EXTRACTING CRYPTOGRAPHIC KEYS FROM MALWARE - A method and system for extracting cryptographic data from a data transmission. A sample of a first data transmission is received over a network. The sample is classified as belonging to a malware family. An extraction engine is selected corresponding to the malware family. The extraction engine is utilized to extract cryptographic data from the sample. | 11-20-2014 |
20140325634 | ADJUSTING DDOS PROTECTION BASED ON TRAFFIC TYPE - A system, method and computer readable storage medium that receives traffic/packets from external devices attempting to access protected devices in a protected network. A determination is made to whether a received packet belongs to one of a plurality of packet classifications. Each packet classification indicative of different classes of IP traffic. Countermeasures are applied to a received packet to prevent attack upon the protected devices. Applying a countermeasure to a received packet determined to belong to one of the plurality of packet classifications includes countermeasure modification/selection contingent upon the determined packet classification for the received packet. | 10-30-2014 |
20140325596 | AUTHENTICATION OF IP SOURCE ADDRESSES - A method and system for authenticating IP source addresses by accessing one or more HTTP requests whose source client identifies itself as a legitimate web crawler. One or more IP addresses are detected from the one or more HTTP requests and each detected IP address is authenticated via a probability estimation regarding its association with a legitimate web crawler. A lookup table is preferably compiled for the authenticated IP addresses for reference, publication and authentication purposes. | 10-30-2014 |
20130055375 | Method and Protection System for Mitigating Slow HTTP Attacks Using Rate and Time Monitoring - A system and methods for mitigation slow HTTP, SSL/HTTPS, SMTP, and/or SIP attacks. A protection system monitors each TCP connection between a client and a server. The protection system monitors the header request time and minimum transfer rate for each client and TCP connection. If the client has not completed the data transfer in the minimum time or the data are not transferred at the minimum transfer rate, the protection system determines the connections are potentially a slow attack and resets the connections for the protected devices. | 02-28-2013 |
20130055374 | System and Method for Denial of Service Attack Mitigation Using Cloud Services - A method to mitigate attack by an upstream service provider using cloud mitigation services. An edge detection device, which located at the subscriber's network edge, is able to communicate information via status messages about attacks to an upstream service provider. The service provider is then able to mitigate attacks based on the status messages. There is a feedback loop whereby the amount of dropped traffic by the service provider is added to the network traffic to keep the mitigation request open and prevent flapping. Likewise, the detection device includes time-to-engage and time-to-disengage timers to further prevent flapping. | 02-28-2013 |
20130031605 | Method and Apparatus for Probabilistic Matching to Authenticate Hosts During Distributed Denial of Service Attack - A system and method to track external devices attempting to connect to a protected network using probabilistic filters. When a connection from a new external device attempts to access the protected network, the memory of a protection system, which is organized as a probabilistic filter, is searched to determine if the IP address already exists in the memory of protection system. If the search locates the IP address, the protection system terminates the connection to the external device. If the search is negative, then protection device begins the authentication process for the external device. | 01-31-2013 |
20120167168 | Method and System for Authentication Event Security Policy Generation - A method and system allows for the deployment of security policies into the higher layers of the OSI model. Specifically, it allows for the establishment of security policies at layer 4 and higher, by monitoring authentication flows and using these flows as the basis for establishing security policies which then can be used as a basis for assessing the operation of the network. | 06-28-2012 |
20120047248 | Method and System for Monitoring Flows in Network Traffic - A method and system for correlating web content with content providers to determine the origin of the content such that it is not necessary to look inside the information exchange. The method and system maintains sequences of reference points, which are ordered lists of content providers accessed by subscribers over time, and correlates the internet content applications, such as video, found in network traffic to the sequence of reference points accessed by subscribers to determine the origins of the content even when the content being delivered by third-party content delivery networks. | 02-23-2012 |
20110296002 | Stateful Flow Information Table Method and System for Packet Inspection System - A packet processing system comprises two packet inspection systems for tracking packet flows between a first network and a second network. A memory is accessible by each of the packet inspection systems for storing flow entries. Each of the flow entries includes a flow key characterizing a packet flow associated with flow entry, a flow identifier. State information is further maintained indicating ownership of the flow identifiers among the two packet inspection systems. Using stateful identifiers ensures that two packet processing systems do not become incoherent and properly indicate the status of free flow identifiers. | 12-01-2011 |
20090168648 | Method and System for Annotating Network Flow Information - A scalable flow monitoring solution takes in standard flow records exported from network devices such as routers, switches, firewalls, hubs, etc., and annotates the flow with additional information. This information is derived from a number of sources, including Border Gateway Protocol (BGP), Simple Network Management Protocol (SNMP), user configuration, and other, intelligent flow analysis. These annotations add information to the flow data, and can be used to perform value-added flow analysis. The annotated flow is then resent to a configurable set of destinations using standard flow formatting, e.g., Cisco System Inc.'s NetFlow, in one implementation. This allows the annotated flow to be processed and the enhanced information to be used by other flow analysis tools and existing flow analysis infrastructure. | 07-02-2009 |