Patent application number | Description | Published |
20090190511 | Method and apparatus for detecting wireless data subscribers using natted devices - A system and method for network based detection of wireless data subscribers using network address translation devices is provided. The method includes identifying a minimum number of devices showing the same internet protocol address. Packet identification sequences may include port numbers or internet protocol identification numbers. The method continues with grouping these applications by their packet identification sequences and applying detection logic where detection logic yields a conclusion that there are multiple host computers when a set of applications appears in a plurality of packet identification sequences. This method is particularly useful when internet protocol addresses are dynamic, as opposed to static. This method overcomes previous embodiments known in the art by being able to account for and work with live traffic, which enables real time detection. | 07-30-2009 |
20090268623 | EFFICIENT PROBABILISTIC COUNTING SCHEME FOR STREAM-EXPRESSION CARDINALITIES - In one embodiment, a method of monitoring a network. The method includes, at each node of a fixed set, constructing a corresponding vector of M components based on data packets received at the node during a time period, M being an integer greater than 1, the fixed set being formed of some nodes of the network; and, based on the constructed vectors, estimating how many of the received data packets have been received by all of the nodes of the set or estimating how many flows of the received data packets have data packets that have passed through all of the nodes of the set. The constructing includes updating a component of the vector of one of the nodes in response to the one of the nodes receiving a data packet. The updating includes selecting the component for updating by hashing a property of the data packet received by the one of the nodes. | 10-29-2009 |
20090271509 | PROBABILISTIC AGGREGATION OVER DISTRIBUTED DATA STREAMS - In one embodiment, a method of monitoring a network. The method includes, at each node of a set, constructing a corresponding vector of M components based on a stream of data packets received at the node during a time period, the set including a plurality of nodes of the network, M being greater than 1; and estimating a value of a byte traffic produced by a part of the packets based on the constructed vectors, the part being the packets received by every node of the set. The constructing includes updating a component of the vector corresponding to one of the nodes in response to the one of the nodes receiving a data packet. The updating includes selecting a component of the vector to be updated by hashing a property of the received data packet. | 10-29-2009 |
20090296594 | ESTIMATING CARDINALITY DISTRIBUTIONS IN NETWORK TRAFFIC - In one embodiment, a method of monitoring a network. The method includes: receiving, from each host of a set of two or more hosts of the network, a corresponding vector of M components constructed based on data packets received at the host during a time period, M being an integer greater than 1; and, based on the constructed vectors, using an expectation-maximization algorithm to estimate a cardinality distribution for the hosts in the set, wherein constructing a vector includes updating a component of the vector of the corresponding host in response to the corresponding host receiving a data packet, the updating including selecting the component for updating by hashing one or more fields of the data packet received by the corresponding host. | 12-03-2009 |
20100299287 | Monitoring time-varying network streams using state-space models - In one embodiment, a statistical model is generated based on observed data, the observed data being associated with a network device, online parameter fitting is performed on parameters of the statistical model, and for each newly observed data value, a forecast value is generated based on the statistical model, the forecast value being a prediction of a next observed data value, a forecasting error is generated based on the forecast value and the newly observed data value, and whether the data of the network stream is abnormal is determined based on a log likelihood ratio test of the forecasting errors and a threshold value. | 11-25-2010 |
20110010327 | METHOD AND APPARATUS FOR INCREMENTAL TRACKING OF MULTIPLE QUANTILES - A method and apparatus for incremental tracking of multiples quantiles is provided. A method for performing an incremental quantile update using a data value of a received data record includes determining an initial distribution function, updating the initial distribution function to form a new distribution function based on the received data value, generating an approximation of the new distribution function, and determining new quantile estimates from the approximation of the new distribution function. The initial distribution function includes a plurality of initial quantile estimates and a respective plurality of initial probabilities. The initial distribution function is updated to form the new distribution function based on the received data value. The new distribution function includes a plurality of quantile points identifying the respective initial quantile estimates and a respective plurality of new probabilities associated with the respective initial quantile estimates. The approximation of the new distribution function is generated by, for each pair of adjacent quantile points in the new distribution function, connecting the adjacent quantile points using a linear approximation of a region between the adjacent quantile points. The new quantile estimates and the new probabilities associated with the new quantile estimates may then be stored. | 01-13-2011 |
20110010337 | METHOD AND APPARATUS FOR INCREMENTAL QUANTILE TRACKING OF MULTIPLE RECORD TYPES - A method and apparatus are provided for incrementally tracking quantiles in the presence of multiple record types. A method for performing incremental quantile tracking includes receiving a first data record of a first record type having a first data value, determining whether a second data record of a second record type is received, determining an initial distribution function, updating the initial distribution function to form a new distribution function based on the first data value and whether a second data record is received, generating an approximation of the new distribution function, determining at least one new quantile estimate associated with at least one new probability of the new distribution function using the approximation of the new distribution function, and storing the at least one new quantile estimate and the at least one new probability associated with the at least one new quantile estimate. | 01-13-2011 |
20110069632 | TRACKING NETWORK-DATA FLOWS - A network-equipment-implemented method and apparatus for tracking durations of flows received at a network node in consecutive intervals utilizes two counting bloom filters in ping-pong operation to reduce memory and processing. Identifiers for flows that exceed a predetermined duration or number of intervals are stored in a long-duration flow-identifier table. Hash functions used within the counting bloom filters and optionally used in the long-duration flow-identifier table are chosen to minimize the probability of false positives in the detection of long-duration flows. In some embodiments, flows are sampled to conserve memory and processing resources at the risk of missing detection of some long-duration flows. | 03-24-2011 |
20110239299 | ADAPTIVE DISTINCT COUNTING FOR NETWORK-TRAFFIC MONITORING AND OTHER APPLICATIONS - In one embodiment, a counting method of the invention uses an adaptive sketching-update process to compress an unknown cardinality into a counter value that counts the number of binary ones in a hashed bitmap vector. The sketching-update process is probabilistic in nature and uses bit-flip probabilities that are adaptively decreased as the counter value increases. Parameters of the sketching-update process are selected so that the relative error of cardinality estimates obtained based on the counter values is relatively small and substantially constant over a relatively wide range of cardinalities, e.g., from one to about one million. Due to the latter property, the counting method can advantageously be implemented in the form of embedded software that relies on a relatively small, fixed amount of memory. | 09-29-2011 |
20110258190 | Spectral Neighborhood Blocking for Entity Resolution - A processing device of an information processing system is operative to obtain a plurality of records, documents, web pages or other data objects, and to construct a binary tree using a bipartition procedure in which subsets of the data objects are associated with respective nodes of the tree. Evaluation of a designated modularity for a given one of the nodes of the tree is used as a stopping criterion to prevent further partitioning of that node and to indicate designation of that node as a leaf node of the tree. The resulting leaf nodes of the tree provide a non-overlapping partitioning of the plurality of data objects. The processing device is further operative to perform a neighborhood search on the tree to identify pairs of the plurality of data objects that match the same entity, and to store an indication of the matching pairs of data objects. | 10-20-2011 |
20110320447 | High-Dimensional Stratified Sampling - In one aspect, a processing device of an information processing system is operative to perform high-dimensional stratified sampling of a database comprising a plurality of records arranged in overlapping sub-groups. For a given record, the processing device determines which of the sub-groups the given record is associated with, and for each of the sub-groups associated with the given record, checks if a sampling rate of the sub-group is less than a specified sampling rate. If the sampling rate of each of the sub-groups is less than the specified sampling rate, the processing device samples the given record, and otherwise does not sample the given record. The determine, check and sample operations are repeated for additional records, and samples resulting from the sample operations are processed to generate information characterizing the database. Other aspects of the invention relate to determining which records to sample through iterative optimization of an objective function that may be based, for example, on a likelihood function of the sampled records. | 12-29-2011 |
20140040268 | HIGH-DIMENSIONAL STRATIFIED SAMPLING - In one aspect, a processing device of an information processing system is operative to perform high-dimensional stratified sampling of a database comprising a plurality of records arranged in overlapping sub-groups. For a given record, the processing device determines which of the sub-groups the given record is associated with, and for each of the sub-groups associated with the given record, checks if a sampling rate of the sub-group is less than a specified sampling rate. If the sampling rate of each of the sub-groups is less than the specified sampling rate, the processing device samples the given record, and otherwise does not sample the given record. The determine, check and sample operations are repeated for additional records, and samples resulting from the sample operations are processed to generate information characterizing the database. Other aspects of the invention relate to determining which records to sample through iterative optimization of an objective function that may be based, for example, on a likelihood function of the sampled records. | 02-06-2014 |
20140181978 | DESIGN AND EVALUATION OF A FAST AND ROBUST WORM DETECTION ALGORITHM - A method and computer product are presented for identifying Internet worm propagation based upon changes in packet arrival rates at a network connection. First, unsolicited (i.e., packets that were not requested by the receiver) traffic is separated from solicited traffic at the network connection. The unsolicited traffic arrival patterns are monitored and analyzed for any changes. Once changes in the unsolicited traffic arrival patterns are detected, the changes are mathematically analyzed to detect growth trends. The presence of growth trends that follow certain key characteristics indicate whether the changes are due to worm propagation. | 06-26-2014 |