A sampling node in a SDN and a method performed thereby for handling flows through the SDN between client(s) and origin server(s) of a communication network connected to the SDN are provided. The method comprising receiving (110) a fraction of a total amount of traffic flows originating at client(s) served by the SDN, and destined for the origin server(s); identifying (120) which of the received traffic flows that benefit from being routed via a service optimising node, capable of providing value added services, VAS, to the traffic flows, by fulfilling predetermined conditions; and determining (130), for each individual traffic flow, a capacity demand of the flow. The method further comprises selecting (150) which traffic flows that shall be routed via the service optimising node on the basis of their capacity demand considering a capacity of the service optimising node; and informing (160) a flow switch of the SDN about which traffic flows should bypass the service optimising node and which traffic flows that should be routed via the service optimising node.

An extraction device includes processing circuitry configured to generate a first feature vector that shows a feature of traffic data for each target from a plurality of traffic data pieces aggregated for each predetermined target, sample traffic data from the traffic data for each target a plurality of times, and generate a second feature vector that shows a feature of the sampled traffic data for each sample set obtained.

A method is provided to monitor network traffic, including reserving a portion of a system memory for short-term storage of copied network traffic, wherein the system memory is volatile, receiving copied packets of intercepted network traffic traversing a network, wherein the packets are associated with a plurality of respective traffic streams included in the network traffic, storing the copied packets in the portion of the system memory, maintaining an ordered list per traffic stream of copied packets that are stored, removing copied packets selected, based on their positions in their respective ordered lists, from the portion of the system memory based on a storage constraint, receiving an attack alert identifying a packet that is involved in a network attack, identifying the traffic stream that includes the packet identified, and transferring stored copied packets that are included in the identified traffic stream from the portion of the system memory to a long-term storage device.

In one embodiment, a device in a network detects an anomaly in the network by analyzing a set of sample data regarding one or more conditions of the network using a behavioral analytics model. The device receives feedback regarding the detected anomaly. The device determines that the anomaly was a true positive based on the received feedback. The device excludes the set of sample data from a training set for the behavioral analytics model, in response to determining that the anomaly was a true positive.

With exponential growth in virtualized traffic within physical data centers, many end users (e.g., individuals and enterprises) have begun moving work processes and data to cloud computing platforms. However, accessing virtualized traffic traversing the cloud computing platforms for application, network, and security analysis is a challenge. Introduced here, therefore, are visibility platforms for monitoring virtualized traffic traversing a cloud computing platform, such as Amazon Web Services, VMware, and OpenStack. A visibility platform can be integrated into a cloud computing platform to provide a coherent view of virtualized traffic in motion across the cloud computing platform for a given end user. Said another way, a visibility platform can intelligently select, filter, and forward virtualized traffic belonging to an end user to a monitoring infrastructure, thereby eliminating traffic blind spots.

In an embodiment, a method monitors a plurality of data streams passing through a router in the connectivity service provider environment, and for each of the data streams, periodically samples packets at the router. The method further generates a stream signature based at least on the payload of the sampled packets. The method further includes, for each generated stream signature, attaching information to the stream signature. Such information may, for example, include time-stamp information for the stream signature, or an identification of the router. The method may further comprise storing the stream signatures corresponding to the data streams in a database. The stored stream signatures may be compared to determine matching stream signatures. Matching signatures may identify data streams that carry identical or similar content.

A disclosed method may include (1) sampling traffic forwarded by a network device in accordance with certain prefixes, (2) determining, based at least in part on the sampling of traffic, a subset of the prefixes whose usages satisfy a certain threshold, (3) computing a plurality of hit probabilities that each represent a relative likelihood that one of the subset of prefixes is used by the network device to forward the traffic, (4) identifying a plurality of outgoing interfaces that carry the traffic in connection with the subset of prefixes, (5) identifying a plurality of prefix-specific loads of the outgoing interfaces, and then (6) predicting a plurality of future traffic loads of the outgoing interfaces based at least in part on (A) the hit probabilities of the subset of prefixes and (B) the prefix-specific loads of the outgoing interfaces. Various other systems and methods are also disclosed.

An automated system monitors network traffic to determine dependencies between different machines. These dependencies can be used to automatically develop a recovery plan for the machines, for example restoring servers in a certain order. This approach can also automatically adjust the recovery plan for changes in system configuration, for example as different servers come online or are taken offline or change their roles.

A metrics collection method includes: transmitting a media data obtaining request to an application service device in response to a trigger operation for streaming media; obtaining a media data response message transmitted by the application service device, the media data response message including metrics collection configuration information, and the metrics collection configuration information including metrics collection environment information and network slice information; obtaining environment information of the streaming media, and when the environment information matches the metrics collection environment information, collecting metrics data corresponding to the streaming media; determining, based on the network slice information, a network path for reporting the metrics data; and reporting the metrics data to the application service device through the network path.

A health status monitoring method includes: (a) analyzing transport layer data for a dwelling to identify a plurality of occupant specific transport layer data items based on MAC address mapping, (b) establishing an Internet traffic pattern for the occupant for a period of time based on the identified plurality of occupant specific transport layer data items, (c) comparing the established Internet traffic pattern to a predetermined baseline Internet traffic pattern for the occupant and identifying a deviation from the predetermined baseline Internet traffic pattern based on the comparison, and (d) determining that a change in the health status is possible for the occupant based on the identifying of the deviation.