摘要:
An efficient streaming method and apparatus for detecting hierarchical heavy hitters from massive data streams is disclosed. In one embodiment, the method enables near real time detection of anomaly behavior in networks.
摘要:
An efficient streaming method and apparatus for detecting hierarchical heavy hitters from massive data streams is disclosed. In one embodiment, the method enables near real time detection of anomaly behavior in networks.
摘要:
An efficient streaming method and apparatus for detecting hierarchical heavy hitters from massive data streams is disclosed. In one embodiment, the method enables near real time detection of anomaly behavior in networks.
摘要:
An efficient streaming method and apparatus for detecting hierarchical heavy hitters from massive data streams is disclosed. In one embodiment, the method enables near real time detection of anomaly behavior in networks.
摘要:
An efficient streaming method and apparatus for detecting hierarchical heavy hitters from massive data streams is disclosed. In one embodiment, the method enables near real time detection of anomaly behavior in networks.
摘要:
Apparatuses, methods, and other embodiments associated with packet identification are described. One example apparatus includes a packet selection logic to identify packets associated with a data stream. The example apparatus may also include a set of packet classification logics. A packet classification logic may generate a signal as a function of whether an attribute associated with the packet matches an attribute associated with packets generated by a tested application.
摘要:
Network worms or viruses are a growing threat to the security of public and private networks and the individual computers that make up those networks. A content sifting method if provided that automatically generates a precise signature for a worm or virus that can then be used to significantly reduce the propagation of the worm elsewhere in the network or eradicate the worm altogether. The content sifting method is complemented by a value sampling method that increases the throughput of network traffic that can be monitored. Together, the methods track the number of times invariant strings appear in packets and the network address dispersion of those packets including variant strings. When an invariant string reaches a particular threshold of appearances and address dispersion, the string is reported as a signature for suspected worm.
摘要:
Detecting attacks against computer systems by automatically detecting signatures based on predetermined characteristics of the intrusion. One aspect looks for commonalities among a number of different network messages, and establishes an intrusion signature based on those commonalities. Data reduction techniques, such as a hash function, are used to minimize the amount of resources which are necessary to establish the commonalities. In an embodiment, signatures are created based on the data reduction hash technique. Frequent signatures are found by reducing the signatures using that hash technique. Each of the frequent signatures is analyzed for content, and content which is spreading is flagged as being a possible attack. Additional checks can also be carried out to look for code within the signal, to look for spam, backdoors, or program code.
摘要:
A method and apparatus is described for identifying content in a packet. The method may obtain data sample from the packet where the data sample is in a predetermined window at an initial offset point in the packet. For each offset point, a first stage of processing on the data sample may be performed to identify if the data sample corresponds to potentially relevant reference string. A more focused second stage of processing may then be carried out on the data sample to identify if the data sample corresponds to potentially relevant reference string. Thereafter, an even more focused third stage of processing may be carried out on the data sample to obtain a third stage result. If the data sample passes all three stages of processing, a predefined action is identified which is associated with a reference string corresponding to the data sample.
摘要:
A method and apparatus is described to process packets in a network. The method may comprise receiving the packet and determining a length K of the packet. If the length of the packet is less than a reference length M then no analysis may be performed on the packet. However, if the packet length K is not less than M, the method may determine if the packet length K is at least greater than a reference window size WRef. When the packet length is greater than WRef then a window size W for the processing of the packets is set equal to WRef; and the packet length is less than WRef then a window size W for the processing of the packets is set equal to the packet size K. Thereafter, the packet is processed using the window size W.