A conversion device (10) includes a separation unit (11) that separates an inputted encapsulated packet into flow information and sampled headers including outer headers and inner headers, a decapsulation unit (12) that separates the outer headers from the sampled headers, and a conversion unit (13) that obtains statistics about the inner headers on the basis of the sampled headers separated from the outer headers, generates an xFlow packet including at least statistical information indicating the statistics about the inner headers, and outputs the generated xFlow packet to an external device.

Embodiments of this application describe an in-situ flow detection-based packet processing method. After receiving a first packet encapsulated by using a first bearer protocol, a first node may obtain, based on the first packet, a second packet encapsulated by using a second bearer protocol. A first packet header of the first packet includes first in-situ flow detection information, and a packet header of the second packet also includes the first in-situ flow detection information. It can be learned that, when re-encapsulating the first packet by using the second bearer protocol, the first node does not remove the first in-situ flow detection information, but adds the first in-situ flow detection information to the packet encapsulated by using the second bearer protocol. Therefore, even if the first bearer protocol and the second bearer protocol are deployed in a detection domain, the first in-situ flow detection information is not removed due to re-encapsulation of the packet, and may be transmitted across the entire detection domain.

A protocol state fuzzing method for security of a control plane of a distributed software-defined network is provided. The protocol state fuzzing method includes receiving input alphabets being abstract symbols of a protocol message in an ambusher of a distributed network operating system (NOS), converting the input alphabets into the protocol message, and sending the protocol message to a cluster, monitoring, by the cluster, intercommunication between instances in the distributed NOS, and selecting a set of sequences executable in the cluster and searching a cluster log for an output by executing the sequence to generate an attack result.

A computer-implemented method for testing failover may include: determining one or more cross-regional dependencies and traffic flow of an application in a first region of a cloud environment, wherein the one or more cross-regional dependencies include a dependency of the application in the first region of the cloud environment to one or more applications in at least one other region of the cloud environment; determining a risk score associated with performing failover of the application to a second region of the cloud environment at least based on the determined one or more cross-regional dependencies and traffic flow of the application; comparing the determined risk score with a predetermined risk score; in response to determining that the determined risk score is lower than the predetermined risk score, performing failover of the application to the second region of the cloud environment; isolating the second region of the cloud environment from the first region of the cloud environment for a predetermined period of time; and monitoring operation of the application in the second region of the cloud environment during the predetermined period of time.

A computer-implemented method for testing failover may include: determining one or more cross-regional dependencies and traffic flow of an application in a first region of a cloud environment, wherein the one or more cross-regional dependencies include a dependency of the application in the first region of the cloud environment to one or more applications in at least one other region of the cloud environment; determining a risk score associated with performing failover of the application to a second region of the cloud environment at least based on the determined one or more cross-regional dependencies and traffic flow of the application; comparing the determined risk score with a predetermined risk score; in response to determining that the determined risk score is lower than the predetermined risk score, performing failover of the application to the second region of the cloud environment; isolating the second region of the cloud environment from the first region of the cloud environment for a predetermined period of time; and monitoring operation of the application in the second region of the cloud environment during the predetermined period of time.

Systems and methods are disclosed for flexibly applying a query term to heterogeneous data. A query system can receive a query that includes a data-determinant query term. As the system executes the query it can generate interim search results. As the system query processes the interim search results based on the query, it can apply the data-determinant query term to records of the interims search results based on the structure of the records.

Embodiments are directed to verifying media stream quality for multiparty video conferences. A verification video may be generated based on verification goals for a video provided by a video service. A marker may be embedded in the verification video. A video conference may be established using video stations such that the video conference may be provided by a video service. The verification video may be streamed to a video input of each video station. The video may be streamed to a video output buffer of each video station such that the video provides a view of the video conference and such that the marker that corresponds to each video station may be included in the video. Video information may be captured from the video output buffer of the video stations. The video service may be classified based on the video information from each video station.

Automatically detecting whether sessions are routed through proxy servers is provided. The system identifies a log with session information generated by a device for a session established between a client and a server traversing the device. The system compares a source internet protocol (“IP”) address for the session identified from the log with IP addresses of proxy servers. The system updates, responsive to a match based on the comparison, the log with an indication that the session was routed through a proxy server.

A high speed intelligent network recorder for recording a plurality of flows of network data packets into and out of a computer network over a relevant data time window is disclosed. The high speed intelligent network recorder includes a printed circuit board; a high speed network switching device mounted to the printed circuit board; and an X column by Y row array of a plurality of intelligent hard drives with micro-computers mounted to the printed circuit board and coupled in parallel with the high speed network switching device.

A method for network recording is disclosed. In one embodiment, the method includes the following: receiving a plurality of incoming packets, wherein each incoming packet belongs to a conversation flow; forming a capture stream of packet records for the incoming packets; and performing intelligent load balancing on the capture stream of packet records, the load balancing including reading the metadata for each packet record, determining a packet record is part of either a hot flow or a cold flow, selecting a destination node for each packet record based on the flow hash, and steering the packet record to one of a plurality of encapsulation buffers based on the destination node, wherein a cold flow tends to be maintained in a flow coherency at a node. The method may further include operations that include querying and back-testing in order to enable distributed analytics by using low cost, low band width nodes.

Methods, systems, and computer readable media for generating and using a web page classification model are disclosed. The method may include identifying a plurality of web pages for generating a web page classification model, assigning a label to each of the plurality of web pages, accessing Transmission Control Protocol/Internet Protocol (TCP/IP) traffic traces associated with downloading content from each of the plurality of web pages, processing TCP/IP headers from the TCP/IP traffic traces to identify and extract features that discriminate between the labels, that are uncorrelated and whose discriminatory accuracy remains stable across time and/or browser platform. The method may further include generating a web page classification model by training a trainer to learn a combination of the features that accurately discriminates between the labels. The model is usable to classify unlabeled web pages by applying the model to TCP/IP traffic traces used to access the unlabeled web pages.