Patent application number | Description | Published |
20080212586 | METHOD AND APPARATUS FOR CLASSIFYING PACKETS - A method and apparatus for classifying packets, e.g., at wire speed are disclosed. The method receives a packet and processes the packet through a hardware-based packet classifier having at least one evolving rule. The method then processes the packet through a software-based packet classifier if the hardware-based packet classifier is unable to classify the packet. In one embodiment, the at least one evolving rule is continuously modified in accordance with learned traffic characteristics of the received packets | 09-04-2008 |
20090025082 | Method and apparatus for detecting computer-related attacks - Disclosed is a method and apparatus for detecting prefix hijacking attacks. A source node is separated from a destination network at a first time via an original path. The destination network is associated with a prefix. At a second time, a packet is transmitted from the source node to the destination network to determine a current path between the source node and the destination network. A packet is also transmitted from the source node to a reference node to determine a reference node path. The reference node is located along the original path and is associated with a prefix different than the prefix associated with the destination network. The current path and the reference node path are then compared, and a prefix hijacking attack is detected when the reference node path is not a sub-path of the current path. | 01-22-2009 |
20090046589 | Method and apparatus for compensating for performance degradation of an application session - Disclosed is a method and apparatus for compensating for a performance degradation of an application session in a plurality of application sessions associated with a network link. The performance of each application session in the plurality of application sessions associated with the network link is determined. The performance of each application session in the plurality is then compared. From this comparison, a lowest performance application session in the plurality of application sessions is identified. Corrective action is performed on packets scheduled to be transmitted over the lowest performance application session. | 02-19-2009 |
20090262650 | METHOD AND APPARATUS FOR PROVIDING STATISTICAL EVENT CORRELATION IN A NETWORK - A method and apparatus for providing event correlation in a network are disclosed. For example, the method extracts a plurality of events of interest from a database, and creates one or more event time series from the plurality of events of interest, wherein each of the one or more event time series comprises a set of events of a same type and of a same location that occur within a given time period. The method forms one or more composite events from the one or more event time series, and performs one or more pair-wise correlations for at least one of: the event time-series, or the one or more composite events. The method then identifies one or more pair-wise correlations that are statistically significant. | 10-22-2009 |
20090271857 | METHOD AND APPARATUS FOR FILTERING PACKETS USING AN APPROXIMATE PACKET CLASSIFICATION - A method and apparatus that enables approximate packet classification by using both an exact packet classification method and an inexact packet classification method are disclosed. For example, the method filters a plurality of packets using an exact packet classification method when a processing load is below or equal to a threshold, and filters the plurality of packets by dynamically switching between the exact packet classification method and an inexact packet classification method when the processing load is above the threshold. | 10-29-2009 |
20090285117 | ESTIMATING ORIGIN-DESTINATION FLOW ENTROPY - The preferred embodiments of the present invention are directed to estimating entropy of origin-destination (OD) data flows in a network. To achieve this, first and second sketches are created corresponding to ingress (i.e. origin) and egress (i.e. destination) flows. The sketches allow estimating entropy associated with data streams as well as entropy associated with an intersection of two or more of the data streams, which provides a mechanism for estimating the entropy OD flows in a network. | 11-19-2009 |
20100014420 | Lightweight Application Classification for Network Management - Managing network traffic to improve availability of network services by classifying network traffic flows using flow-level statistical information and machine learning estimation, based on a measurement of at least one of relevance and goodness of network features. Also, determining a network traffic profile representing applications associated with the classified network traffic flows, and managing network traffic using the network traffic profile. The flow-level statistical information includes packet-trace information and is available from at least one of Cisco NetFlow, NetStream or cflowd records. The classification of network flows includes tagging packet-trace flow record data based on defined packet content information. The classifying of network flows can result in the identification of a plurality of clusters based on the measurement of the relevance of the network features. Also, the classification of network traffic can use a correlation-based measure to determine the goodness of the network features. | 01-21-2010 |
20100034084 | Reliability as an Interdomain Service - A system and techniques are disclosed that increase the redundancy (i.e., physical diversity and bandwidth) available to an IP network, thereby increasing the failure processing capability of IP networks. The techniques include pooling the resources of multiple networks together for mutual backup purposes to improve network reliability and employing methods to efficiently utilize both the intradomain and the interdomain redundancies provided by networks at low cost. | 02-11-2010 |
20100034098 | Towards Efficient Large-Scale Network Monitoring and Diagnosis Under Operational Constraints - A system and methods are disclosed that provide a continuous monitoring and diagnosis system for ISP IP/VPN backboneExt networks. The system includes two phases: 1) a monitor setup phase which selects candidate routers as monitors and the paths to be measured by the monitors, and 2) a continuous monitoring and diagnosis phase. | 02-11-2010 |
20100034102 | Measurement-Based Validation of a Simple Model for Panoramic Profiling of Subnet-Level Network Data Traffic - A system and method for profiling subnet-level aggregate network data traffic is disclosed. The system allows a user to define a collection of features that combined characterize the subnet-level aggregate traffic behavior. Preferably, the features include daily traffic volume, time-of-day behavior, spatial traffic distribution, traffic balance in flow direction, and traffic distribution in type of application. The system then applies machine learning techniques to classify the subnets into a number of clusters on each of the features, by assigning a membership probability vector to each network thus allowing panoramic traffic profiles to be created for each network on all features combined. These membership probability vectors may optionally be used to detect network anomalies, or to predict future network traffic. | 02-11-2010 |
20100125643 | Interdomain Network Aware Peer-to-Peer Protocol - A method includes receiving network distance information, receiving a request from a client for an identity of a peer providing content, and identifying a first peer and a second peer providing the content. The network distance information includes a compilation of network distance information provided by a plurality of service providers. The method further includes determining that a network distance between the first peer and the client is less than a network distance between the second peer and the client based on the network distance information, and providing the identity of the first peer to the client. | 05-20-2010 |
20100132037 | SYSTEM AND METHOD TO LOCATE A PREFIX HIJACKER WITHIN A ONE-HOP NEIGHBORHOOD - Method, system and computer-readable medium to locate a prefix hijacker of a destination prefix within a one-hop neighborhood on a network. The method includes generating one-hop neighborhoods from autonomous system (AS)-level paths of plural monitors to a destination prefix. The method also includes determining a suspect set of AS identifiers resulting from a union of the one-hop neighborhoods. The method further includes calculating a count and a distance associated with each AS identifier of the suspect set. The count indicates how often the AS identifier appeared in the one-hop neighborhoods. The distance indicates a total distance from the AS identifier to AS identifiers associated with the plural monitors. Yet further, the method includes generating a one-hop suspect set of AS identifiers from the suspect set that have highest counts and highest distances. | 05-27-2010 |
20100132039 | SYSTEM AND METHOD TO SELECT MONITORS THAT DETECT PREFIX HIJACKING EVENTS - Method, system and computer-readable medium to select monitors that increase the likelihood of detecting prefix hijacking events of a destination prefix are disclosed. The method includes assigning each of the candidate prefix hijack monitors to a respective cluster of a plurality of clusters. Each of the candidate prefix hijack monitors is associated with an autonomous system (AS) that indicates an AS path of autonomous systems (ASes) from the AS to a destination prefix associated with a destination AS. The method further includes iteratively merging a pair of clusters with a highest similarity score amongst cluster pairs of the plurality of clusters into a single cluster until a processed number of clusters is less than or equal to a predetermined number of clusters. The method also includes ranking each candidate prefix hijack monitor of each of the processed number of clusters according to a route type from an AS associated with the candidate prefix hijack monitor and an AS distance from the AS associated with the candidate prefix hijack monitor to the destination AS. Yet further, the method includes determining a highest ranked candidate prefix hijack monitor of each of the processed number of clusters. | 05-27-2010 |
20100153537 | METHOD AND APPARATUS FOR PROVIDING DETECTION OF INTERNET PROTOCOL ADDRESS HIJACKING - A method and apparatus for detecting an address hijacking in a network are disclosed. For example, the method sends one or more traceroute packets to a target prefix, wherein the target prefix comprises one or more destination Internet Protocol (IP) addresses, and records traceroute data received for the one or more traceroute packets sent to the target prefix. The method then determines one or more hop count distance measurements for the target prefix, and determines if there are one or more changes in the one or more hop count distance measurements for the target prefix. | 06-17-2010 |
20110119761 | Mitigating Low-Rate Denial-of-Service Attacks in Packet-Switched Networks - A method includes determining, at a network routing device, an average packet drop rate for a plurality of aggregations of packet flows. The method also determines a threshold packet drop rate based on the average packet drop rate, a current packet drop rate for a select aggregation of the plurality of aggregations, and whether at least one packet flow of the select aggregation is potentially subject to a denial-of-service attack based on a comparison of the current packet drop rate to the threshold packet drop rate. | 05-19-2011 |
20110138466 | METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR PROTECTING AGAINST IP PREFIX HIJACKING - A communication network is operated by identifying at least one potential hijack autonomous system (AS) that can be used to generate a corrupt routing path from a source AS to a destination AS. For each of the at least one potential hijack AS the following operations are performed: identifying at least one regional AS that is configured to adopt the corrupt routing path from the source AS to the destination AS and determining a reflector AS set such that, for each reflector AS in the set, a source AS to reflector AS routing path and a reflector AS to destination AS routing path do not comprise any of the at least one regional AS. A reflector AS is then identified that is common among the at least one reflector AS set responsive to performing the identifying and determining operations for each of the at least one potential hijack AS. | 06-09-2011 |
20110153801 | Prefix Hijacking Detection Device and Methods Thereof - A method of placing prefix hijacking detection modules in a communications network includes selecting a set of candidate locations. For each candidate location, a detection coverage ratio with respect to a target Autonomous System is calculated. Based on the relative size of the coverage ratios, proposed locations for the prefix hijacking detection modules are determined. | 06-23-2011 |
20110154119 | Device and Method for Detecting and Diagnosing Correlated Network Anomalies - A device detects and diagnoses correlated anomalies of a network. The device includes an anomaly detection module receiving a first data stream including an event-series related to the network. The anomaly detection module executes at least one algorithm to detect a potential anomaly in the event-series. The device further includes a correlating module receiving a second data stream including other event-series related to the network. The correlating module determines whether the potential anomaly is false and determines whether the potential anomaly is a true anomaly. | 06-23-2011 |
20110307913 | Modeling User Activity Information Associated with a Network System - Systems and methods to model user activity information associated with a network system are provided. A particular method includes receiving, at a computing device, a request for user activity information associated with selected channels of a television access network that provides multimedia content to users. The method includes executing a model of user activity associated with the television access network at the computing device. The model estimates the user activity information as user multimedia access demands during particular time periods within a day. The method also includes storing the user activity information at a computer-readable non-transitory storage medium. | 12-15-2011 |
20120069747 | Method and System for Detecting Changes In Network Performance - A system and method are provided for identifying a change point in a set of data. The system performs the method by receiving a set of data. The data indicates a plurality of performance measurements from a measurement point in a network. Each of the plurality of measurements represents a single type of performance measurement made at the measurement point at each of a corresponding plurality of points in time. The method also includes dividing the set of data into a plurality of data points in a chronological order. Each data point has a value corresponding to the performance measurements. The method also includes ranking the data points in an ascending order, calculating a cumulative sum for each of the data points, calculating a change score for the set of data points. A change point is identified in the data set if the change score exceeds a predetermined confidence level. | 03-22-2012 |
20120072556 | Method and System for Detecting Network Upgrades - A system and method identify a network upgrade from a data set including a plurality of configuration sessions. The system performs the method by receiving a plurality of configuration sessions. Each of the configuration sessions comprises a plurality of configuration commands. The configuration commands are generated by a same user identifier and within a time threshold. The method further includes identifying one of the configuration sessions as a network upgrade session. The identification is based on a rareness of the configuration session or a skewness of the configuration session. | 03-22-2012 |
20120072574 | Method and System for Detecting Common Attributes of Network Upgrades - A system and method identify a set of rules for determining a commonality of attributes across different behavior changes for a network. The system performs the method by receiving a set of data correlating network triggers to performance changes of one or more network devices. The set of data further includes an indication of a sign of the performance change for each of the network devices based on the triggers. The method further includes extracting a set of rules relating to a set of relationships between the triggers and the performance changes. The rules identify a commonality of the performance changes for multiple network devices based on the triggers. | 03-22-2012 |
20120157106 | OPTIMIZATION OF CELLULAR NETWORK ARCHITECTURE BASED ON DEVICE TYPE-SPECIFIC TRAFFIC DYNAMICS - A method, a computer readable medium and an apparatus for optimizing a cellular network architecture are disclosed. For example, the method obtains network traffic data for a plurality of different endpoint device types, wherein the network traffic data comprises network traffic data for each of the plurality of different endpoint device types, and predicts a future traffic pattern for one of the plurality of different endpoint device types based on the network traffic data. The method then adjusts a parameter of the cellular network architecture in response to the future traffic pattern predicted for the one of the plurality of different endpoint device types. | 06-21-2012 |
20120246308 | Interdomain Network Aware Peer-to-Peer Protocol - A method includes receiving network distance information, receiving a request from a client for an identity of a peer providing content, and identifying a first peer and a second peer providing the content. The network distance information includes a compilation of network distance information provided by a plurality of service providers. The method further includes determining that a network distance between the first peer and the client is less than a network distance between the second peer and the client based on the network distance information, and providing the identity of the first peer to the client. | 09-27-2012 |
20130074175 | Methods, Systems, and Computer Program Products for Protecting Against IP Prefix Hijacking - A communication network is operated by identifying at least one potential hijack autonomous system (AS) that can be used to generate a corrupt routing path from a source AS to a destination AS. For each of the at least one potential hijack AS the following operations are performed: identifying at least one regional AS that is configured to adopt the corrupt routing path from the source AS to the destination AS and determining a reflector AS set such that, for each reflector AS in the set, a source AS to reflector AS routing path and a reflector AS to destination AS routing path do not comprise any of the at least one regional AS. A reflector AS is then identified that is common among the at least one reflector AS set responsive to performing the identifying and determining operations for each, of the at least one potential hijack AS. | 03-21-2013 |
20130097703 | SYSTEM AND METHOD TO LOCATE A PREFIX HIJACKER WITHIN A ONE-HOP NEIGHBORHOOD - Method, system and computer-readable device to locate a prefix hijacker of a destination prefix within a one-hop neighborhood. The method includes generating one-hop neighborhoods from autonomous system-level paths associated with a plurality of monitors to a destination prefix. The method also includes determining a suspect set of autonomous system identifiers resulting from a union of the one-hop neighborhoods. The method further includes calculating a count and a distance associated with each autonomous system identifier in the suspect set of autonomous system identifiers. The count represents how often an autonomous system identifier appears in the one-hop neighborhoods. The distance represents a total number of autonomous system identifiers from the autonomous system identifier to autonomous system identifiers associated with the plurality of monitors. Yet further, the method includes generating a one-hop suspect set including autonomous system identifiers in the suspect set that have a greatest sum of the count and the distance. | 04-18-2013 |
20130124923 | Device and Method for Detecting and Diagnosing Correlated Network Anomalies - A device detects and diagnoses correlated anomalies of a network. The device includes an anomaly detection module receiving a first data stream including an event-series related to the network. The anomaly detection module executes at least one algorithm to detect a potential anomaly in the event-series. The device further includes a correlating module receiving a second data stream including other event-series related to the network. The correlating module determines whether the potential anomaly is false and determines whether the potential anomaly is a true anomaly. | 05-16-2013 |
20130138786 | FACILITATING VIRTUAL PERSONAL AREA NETWORKS - A system that incorporates teachings of the present disclosure may include, for example, a coordinator device having a memory, and a controller. The memory can have computer instructions, which when executed by the controller, causes the controller to facilitate establishing a first virtual personal area network with a first sensor by executing computer instructions associated with a first application profile, and facilitate establishing a second virtual personal area network with a second sensor by executing computer instructions associated a second application profile. The first application profile can be defined by a first protocol specification, while the second application profile can be defined by a second protocol specification. The first protocol specification can also be operationally distinct from the second protocol specification. Other embodiments are disclosed. | 05-30-2013 |
20130145400 | Systems and Methods to Facilitate a Voice Search of Available Media Content - A particular method includes determining estimated popularity scores for programs identified in an electronic program guide for a time interval. The programs identified in the electronic program guide for the time interval include programs being aired. One or more estimated popularity scores are based on viewing trends of the programs being aired. The method also includes determining a voice search vocabulary based on the estimated popularity scores. The voice search vocabulary includes one or more keywords usable for a keyword search of the electronic program guide during the time interval based on a received voice search request. | 06-06-2013 |
20130198767 | METHOD AND APPARATUS FOR MANAGING QUALITY OF SERVICE - A system that incorporates teachings of the present disclosure may include, for example, obtaining regression coefficients that quantify a relationship between premises feedback and first network and premises performance indicators, obtaining second network performance indicators for the network elements, obtaining second premises performance indicators for the customer premises equipment, and predicting customer complaints by applying the obtained regression coefficients to at least the second network performance indicators and the second premises performance indicators. Other embodiments are disclosed. | 08-01-2013 |
20130215738 | Reliability as an Interdomain Service - A system and techniques are disclosed that increase the redundancy (i.e., physical diversity and bandwidth) available to an IP network, thereby increasing the failure processing capability of IP networks. The techniques include pooling the resources of multiple networks together for mutual backup purposes to improve network reliability and employing methods to efficiently utilize both the intradomain and the interdomain redundancies provided by networks at low cost. | 08-22-2013 |
20130254886 | Mitigating Low-Rate Denial-Of-Service Attacks in Packet-Switched Networks - A method includes determining, at a network routing device, an average packet drop rate for a plurality of aggregations of packet flows. The method also determines a threshold packet drop rate based on the average packet drop rate, a current packet drop rate for a select aggregation of the plurality of aggregations, and whether at least one packet flow of the select aggregation is potentially subject to a denial-of-service attack based on a comparison of the current packet drop rate to the threshold packet drop rate. | 09-26-2013 |
20130254887 | Prefix Hijacking Detection Device and Methods Thereof - A method of placing prefix hijacking detection modules in a communications network includes selecting a set of candidate locations. For each candidate location, a detection coverage ratio with respect to a target Autonomous System is calculated. Based on the relative size of the coverage ratios, proposed locations for the prefix hijacking detection modules are determined. | 09-26-2013 |