Provided is an intrusion detection technique configured to: obtain kernel-filter criteria indicative of which network traffic is to be deemed potentially malicious, determine that a network packet is resident in a networking stack, access at least part of the network packet, apply the kernel-filter criteria to the at least part of the network packet and, based on applying the kernel-filter criteria, determining that the network packet is potentially malicious, associate the network packet with an identifier of an application executing in userspace of the operating system and to which or from which the network packet is sent, and report the network packet in association with the identifier of the application to an intrusion-detection agent executing in userspace of the operating system of the host computing device, the intrusion-detection agent being different from the application to which or from which the network packet is sent.

Provided is an intrusion detection technique configured to: obtain kernel-filter criteria indicative of which network traffic is to be deemed potentially malicious, determine that a network packet is resident in a networking stack, access at least part of the network packet, apply the kernel-filter criteria to the at least part of the network packet and, based on applying the kernel-filter criteria, determining that the network packet is potentially malicious, associate the network packet with an identifier of an application executing in userspace of the operating system and to which or from which the network packet is sent, and report the network packet in association with the identifier of the application to an intrusion-detection agent executing in userspace of the operating system of the host computing device, the intrusion-detection agent being different from the application to which or from which the network packet is sent.

Embodiments include methods for supporting metrics collection and reporting for Fifth Generation (5G) Media Streaming in a 5G system (5GS) network. Various embodiments include systems and methods enabling a Media Session Handler running on a processor of a wireless device connected to a radio access network (RAN) of a 5GS network to receive a metrics configuration message from an application function (AF) server of the 5GS network via a M5 interface, wherein the metrics configuration message indicates one or more metrics measurement, collection and reporting requirements associated with a 5G Media Streaming service, and send a metrics report associated with the media session to the AF server via the M5 interface.

Embodiments include methods for supporting metrics collection and reporting for Fifth Generation (5G) Media Streaming in a 5G system (5GS) network. Various embodiments include systems and methods enabling a Media Session Handler running on a processor of a wireless device connected to a radio access network (RAN) of a 5GS network to receive a metrics configuration message from an application function (AF) server of the 5GS network via a M5 interface, wherein the metrics configuration message indicates one or more metrics measurement, collection and reporting requirements associated with a 5G Media Streaming service, and send a metrics report associated with the media session to the AF server via the M5 interface.

The present disclosure relates to methods and apparatus that collect data regarding malware threats, that organizes this collected malware threat data, and that provides this data to computers or people such that damage associated with these software threats can be quantified and reduced. The present disclosure is also directed to preventing the spread of malware before that malware can damage computers or steal computer data. Methods consistent with the present disclosure may optimize tests performed at different levels of a multi-level threat detection and prevention system. As such, methods consistent with the present disclosure may collect data from various sources that may include endpoint computing devices, firewalls/gateways, or isolated (e.g. “sandbox”) computers. Once this information is collected, it may then be organized, displayed, and analyzed in ways that were not previously possible.

The present disclosure relates to methods and apparatus that collect data regarding malware threats, that organizes this collected malware threat data, and that provides this data to computers or people such that damage associated with these software threats can be quantified and reduced. The present disclosure is also directed to preventing the spread of malware before that malware can damage computers or steal computer data. Methods consistent with the present disclosure may optimize tests performed at different levels of a multi-level threat detection and prevention system. As such, methods consistent with the present disclosure may collect data from various sources that may include endpoint computing devices, firewalls/gateways, or isolated (e.g. “sandbox”) computers. Once this information is collected, it may then be organized, displayed, and analyzed in ways that were not previously possible.

Described herein are systems, methods, and software to manage the identification of control packets in an encapsulation header. In one implementation, a computing system may receive a Geneve packet at a network interface and determine that the Geneve packet includes an Operations and Management (OAM) flag. Once the OAM flag is identified, the computing system can select a processing queue from a plurality of processing queues for a main processing system of the computing system based on the OAM flag and assign the Geneve packet to the processing queue.

A fraud monitor in a managed network is provided. The fraud monitor uses the network's instrumentation data, configuration data, and account information to detect fraudulent activities in the network, such as fraudulent advertisement or other types of fraudulent data traffic, including fraudulent responses (e.g., fraudulent clicks) to advertisement. The fraud monitor receives configuration data and identification data for physical resources of the network. The fraud monitor receives instrumentation data of packet traffic in the network. The fraud monitor receives account information for users of the network. The fraud monitor analyzes the instrumentation data to detect a violation of a fraud detection policy that prevents malicious or fraudulent online advertisement activity based on the configuration data, identification data, or account information.

A fraud monitor in a managed network is provided. The fraud monitor uses the network's instrumentation data, configuration data, and account information to detect fraudulent activities in the network, such as fraudulent advertisement or other types of fraudulent data traffic, including fraudulent responses (e.g., fraudulent clicks) to advertisement. The fraud monitor receives configuration data and identification data for physical resources of the network. The fraud monitor receives instrumentation data of packet traffic in the network. The fraud monitor receives account information for users of the network. The fraud monitor analyzes the instrumentation data to detect a violation of a fraud detection policy that prevents malicious or fraudulent online advertisement activity based on the configuration data, identification data, or account information.

Techniques are described that enable users to configure the mirroring of network traffic sent to or received by computing resources associated with a virtual network of computing resources at a service provider network. The mirrored network traffic can be used for many different purposes including, for example, network traffic content inspection, forensic and threat analysis, network troubleshooting, data loss prevention, and the like. Users can configure such network traffic mirroring without the need to manually install and manage network capture agents or other such processes on each computing resource for which network traffic mirroring is desired. Users can cause mirrored network traffic to be stored at a storage service in the form of packet capture (or “pcap”) files, which can be used by any number of available out-of-band security and monitoring appliances including other user-specific monitoring tools and/or other services of the service provider network.