Systems and methods for analyzing user behavior patterns to detect compromised computing devices in an enterprise network are provided. According to one embodiment, an enforcement engine running on a network security device, identifies top users of a network exhibiting a suspicious behavior relating to login failures by determining a first set of users having a number of login failure events during a given time duration exceeding a threshold. The enforcement engine identifies from the first set of computers associated with the top users, a second set of computers exhibiting a suspicious behavior relating to new connections exceeding a threshold. The enforcement engine classifies a third set of computers, representing a subset of the second set exhibiting a suspicious behavior relating to consecutive new connections, as compromised source computers when their respective new connections are in a sequence that results in a Shannon entropy measure exceeding a threshold.

Systems as described herein may include generating an aggregated service status report for a real-time service delivery platform. A plurality of services running in a service domain may be determined. A request for a status of system behavior corresponding to a particular service may be received. Service connection details of the particular service may be discovered and metric data of real-time data movement may be tracked. Real-time snapshot aggregation of the particular service may be provided. In a variety of embodiments, a real-time system behavior report for the service across availability zones may be presented.

Systems as described herein may include generating an aggregated service status report for a real-time service delivery platform. A plurality of services running in a service domain may be determined. A request for a status of system behavior corresponding to a particular service may be received. Service connection details of the particular service may be discovered and metric data of real-time data movement may be tracked. Real-time snapshot aggregation of the particular service may be provided. In a variety of embodiments, a real-time system behavior report for the service across availability zones may be presented.

The present disclosure generally relates to systems, methods and software for quantitatively evaluating an improvement on an active communication network when an impairment, such as a developing impairment, is addressed by one or more repair options via proactive network maintenance.

The present disclosure generally relates to systems, methods and software for quantitatively evaluating an improvement on an active communication network when an impairment, such as a developing impairment, is addressed by one or more repair options via proactive network maintenance.

During operation, an electronic device receives, from a second electronic device in a network, a request for testing. In response, the electronic device set ups a video call with a video-call service. Then, the electronic device provides, to the second electronic device, an invitation for the video call. When the electronic device receives a notification (e.g., from the video-call service) that the video call has started, the electronic device provides content via the video-call service for the second electronic device. Next, the electronic device obtains communication-performance metrics associated with communication via the network during the video call and video-service performance metrics associated with the video call. Furthermore, the electronic device diagnoses a type of problem experienced at the second electronic device during the video call based at least in part on the communication-performance metrics, the video-service performance metrics and a pretrained machine-learning model.

Embodiments of the present invention relate to a centralized network analytic device, the centralized network analytic device efficiently uses on-chip memory to flexibly perform counting, traffic rate monitoring and flow sampling. The device includes a pool of memory that is shared by all cores and packet processing stages of each core. The counting, the monitoring and the sampling are all defined through software allowing for greater flexibility and efficient analytics in the device. In some embodiments, the device is a network switch.

Embodiments of the present invention relate to a centralized network analytic device, the centralized network analytic device efficiently uses on-chip memory to flexibly perform counting, traffic rate monitoring and flow sampling. The device includes a pool of memory that is shared by all cores and packet processing stages of each core. The counting, the monitoring and the sampling are all defined through software allowing for greater flexibility and efficient analytics in the device. In some embodiments, the device is a network switch.

Systems and methods related to traffic flow prediction in a wireless network are disclosed. In one embodiment, a computer-implemented method comprises collecting training data comprising Internet Protocol (IP) addresses extracted from packets for traffic flows in a wireless network and one or more actual traffic type related parameters for each of the traffic flows. The method further comprises training heavy-hitter IP address encodings based on the extracted IP addresses and encoding the extracted IP addresses using the trained heavy-hitter IP address encodings. The method further comprises training a traffic type predictor of a traffic flow predictor based on the encoded IP addresses and the one or more actual traffic type related parameters for each of the traffic flows, where the traffic type predictor is a learning model that maps encoded IP addresses to one or more predicted traffic type related parameters.

Embodiments of this application disclose a traffic monitoring method and apparatus, an integrated circuit, and a network device. When the traffic monitoring apparatus receives a packet, after determining that the traffic monitoring apparatus includes an empty first register, the traffic monitoring apparatus updates a value of first information in the first register to a measured value of a target performance indicator of the packet, and increases a value of second information in the first register by 1. The value of the second information in the first register is 0, the first information in the first register indicates a depth of a data bucket that carries a measured value of the target performance indicator of a to-be-monitored packet, and the second information in the first register indicates a quantity of packets that are in received packets and that match the value of the first information in the first register.