This application provides an example delay measurement method and an example network device. The method includes receiving, by a first network device, a first service flow. The method also includes determining, by the first network device, a first delay value based on a first measurement code block in the first service flow. The first delay value is a time difference between a first moment at which the first measurement code block is detected in the first network device and a second moment at which the first measurement code block is detected in the first network device.

This application provides an example delay measurement method and an example network device. The method includes receiving, by a first network device, a first service flow. The method also includes determining, by the first network device, a first delay value based on a first measurement code block in the first service flow. The first delay value is a time difference between a first moment at which the first measurement code block is detected in the first network device and a second moment at which the first measurement code block is detected in the first network device.

Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). NMCs may determine requests provided to a server based on a first portion of network traffic. NMCs may determine suspicious requests based on characteristics of the provided requests. NMCs may employ the characteristics of the suspicious requests to provide correlation information that is associated with the suspicious requests. NMCs may determine dependent actions associated with the server based on a second portion of the network traffic and the correlation information. And, in response to determining anomalous activity associated with the evaluation of the dependent actions, NMCs may provide reports associated with the anomalous activity.

Systems, devices and techniques for an adaptive application-specific probing scheme are disclosed. An example network device includes memory configured to store a network address and probe protocol usable for probing a first network device associated with a source of an application, and one or more processors configured to determine a network address and probe protocol usable for probing the first network device, wherein the first network device comprises a server that is responsive to the probing, the server executing the application for the data flow, or a closest network device, to the server, that is responsive to the probing. The one or more processors are also configured to send to a second network device at a location serviced by the application, a message specifying the network address and probe protocol usable for probing the first network device.

Aspects of the subject disclosure may include, for example, a processing system that performs operations including collecting encrypted network traffic flow data from user interaction with an application, deriving a first set of traffic feature vectors from the encrypted network traffic flow data collected, training a machine learning algorithm on the first set of traffic feature vectors to classify each traffic feature vector in the first set of traffic feature vectors as associated with a type of the application or not associated with the type of the application, and classifying whether an encrypted network traffic flow as the type of the application by applying the machine learning algorithm to a traffic feature vector of the encrypted network traffic flow. Other embodiments are disclosed.

A system and computer-implemented method to monitor network traffic for a protected network using a block of IP addresses including an IP address for a server. The method includes selecting one or more green addresses, each being a different IP address from the block of IP addresses, associating the green addresses with the IP address of the server, and receiving a packet of the internet traffic from a client directed to an IP address of the block of IP addresses prior to any performance of DPI on the packet. It is determined whether the destination address matches the one or more green addresses or is a yellow address (which belongs to the block of IP addresses, but is not a green address). When determined that the destination address matches the one or more green addresses, the method the packet is sent to the IP address associated with the matching green address, bypassing any DPI. Otherwise, the packet is sent to a scrubber to analyze the packet using DPI and handle the packet or perform a redirection of the client. The redirection causes subsequent requests from the client to be sent to the IP address associated with the green address, bypassing any DPI.

A method and system for subscriber awareness for traffic flows in a computer network. The system including: a Subscriber Awareness Control Plane (SACP) module configured to register as a network node and subscribe to at least one network function on the network; at least one processing module configured to request and receive information of traffic flow parameters and subscriber parameters for the traffic flows from the at least one network function; and a subscriber awareness module configured to map subscribers to traffic flows, based on the received traffic flow parameters and subscriber parameters. The method including: registering an SACP module as a network node; subscribing to at least one network functions; receiving information of traffic flow parameters and subscriber parameters for the traffic flows; and mapping subscribers to traffic flows, based on the traffic flow parameters and subscriber parameters.

A method for deep packet inspection (DPI) in a software defined network (SDN). The method includes configuring a plurality of network nodes operable in the SDN with at least one probe instruction; receiving from a network node a first packet of a flow, the first packet matches the at least one probe instruction and includes a first sequence number; receiving from a network node a second packet of the flow, the second packet matches the at least one probe instruction and includes a second sequence number, the second packet is a response of the first packet; computing a mask value respective of at least the first and second sequence numbers indicating which bytes to be mirrored from subsequent packets belonging to the same flow; generating at least one mirror instruction based on at least the mask value; and configuring the plurality of network nodes with at least one mirror instruction.

A method for deep packet inspection (DPI) in a software defined network (SDN). The method includes configuring a plurality of network nodes operable in the SDN with at least one probe instruction; receiving from a network node a first packet of a flow, the first packet matches the at least one probe instruction and includes a first sequence number; receiving from a network node a second packet of the flow, the second packet matches the at least one probe instruction and includes a second sequence number, the second packet is a response of the first packet; computing a mask value respective of at least the first and second sequence numbers indicating which bytes to be mirrored from subsequent packets belonging to the same flow; generating at least one mirror instruction based on at least the mask value; and configuring the plurality of network nodes with at least one mirror instruction.

Technologies for providing out-of-order network packet management and selective data flow splitting include a computing device. The computing device includes circuitry to identify a service data flow associated with a set of packets to be sent to a recipient computing device. The circuitry is also to determine a target quality of service for the service data flow, determine, as a function of the target quality of service, one or more radio links on which to send the packets, including determining whether to split the service data flow over multiple radio links, and send the packets through the determined one or more radio links.