Some embodiments of the invention provide a method for gathering data for logical network traffic analysis by sampling flows of packets forwarded through a logical network. Some embodiments are implemented by a set of network virtualization controllers that, on a shared physical infrastructure, can implement two or more sets of logical forwarding elements that define two or more logical networks. In some embodiments, the method (1) defines an identifier for a logical network probe, (2) associates this identifier with one or more logical observation points in the logical network, and (3) distributes logical probe configuration data, including sample-action flow entry data, to one or more managed forwarding elements that implement the logical processing pipeline at the logical observation points associated with the logical network probe identifier. In some embodiments, the sample-action flow entry data specify the packet flows that the forwarding elements should sample and the percentage of packets within these flows that the forwarding elements should sample.

In one embodiment, a device in a network receives feedback regarding an anomaly reporting mechanism used by the device to report network anomalies detected by a plurality of distributed learning agents to a user interface. The device determines an anomaly assessment rate at which a user of the user interface is expected to assess reported anomalies based in part on the feedback. The device receives an anomaly notification regarding a particular anomaly detected by a particular one of the distributed learning agents. The device reports, via the anomaly reporting mechanism, the particular anomaly to the user interface based on the determined anomaly assessment rate.

Identifying malicious communications by generating data representative of network traffic based on adaptive sampling includes, at a computing device having connectivity to a network, obtaining a set of data flows representing network traffic between one or more nodes in the network and one or more domains outside of the network, wherein each data flow in the set of data flows includes a plurality of data packets. One or more features are extracted from the set of data flows based on statistical measurements of the set of data flows. The set of data flows are adaptively sampled based on at least the one or more features. Then, data representative of the network traffic is generated based on the adaptively sampling to identify malicious communication channels in the network traffic.

A method for online monitoring of a physical environment using a variable data sampling rate is implemented by a computing device. The method includes sampling, at the computing device, at least one data set using at least one sampling rate. The method also includes processing the at least one data set with condition assessment rules. The method further includes determining whether the at least one data set indicates a change in state of the physical environment. The method additionally includes updating the at least one sampling rate.

It is disclosed a method for performing a performance measurement on a packet flow transmitted along a path through a packet switched communication network. Two or more measurement points are implemented on the path. Each measurement point calculates a sampling signature for each received packet by applying a hash function to a mask of bits of the packet. Then, it selects a number of measurement samples amongst the received packets, the measurement samples being selected as those packets whose sampling signatures comprise a portion of length S equal to a predefined sampling value. While performing the selection, the measurement point counts the number of selected measurement samples and retroactively adjusts the length based on this number. Then, the measurement point provides measurement parameters relating to the selected measurement samples.

Event-time pairs are received for a current time slot. Each event-time pair denotes the occurrence of an event at a system by an event type as well as an occurrence time. For each different event type, a property value for the time slot is computed for each different property of a number of different properties, from the event-time pairs having the different event type. For each different property, a time-decaying histogram of identified property values of the different property is updated using the property value computed for the different property for the current time slot. An anomaly score for each identified property value within the time-decaying histogram of each different property is computed to detect occurrence of an anomaly within the system.

A system and method for determining the traceability of network request traffic over a communications network for reducing strain in traffic processing resources, which includes: provisioning a direct interconnect on the communications network between the server and a predefined source, the direct interconnect providing a private service interface, a defined pairings data of the predefined source with the direct interconnect stored as a network traffic almanac; provisioning a public service interface on the communications network; receiving a request traffic having an address of the predefined source via the public service interface; consulting the defined pairing data with the address to determine the request traffic matches the predefined source; and de-prioritizing the processing of the request traffic based on the request traffic being received on the public service interface rather than on the direct interconnect by dynamically applying a prioritize criterion to the second request traffic before generating a response traffic.

A Computer Network Service Providing System including Self Adjusting Volume enforcement functionality and methods for diminishing or minimizing volume leakage.

The present disclosure relates to a method, device, and system for configuring parameters, a computer device, a medium, and a product. A configuration device for configuring parameter sampling with respect to an edge device includes: one information acquiring unit, configured to acquire information related to the purpose and use environment of the edge device; one transmitting unit, configured to transmit the information to a cloud platform; and one configuration information determining unit, configured to receive configuration information for parameter sampling with respect to the edge device from the cloud platform, where the configuration information is configuration information determined as matching the information by the cloud platform utilizing a configuration model stored thereby.

The technology disclosed relates to building ensemble analytic rules for reusable operators and tuning an operations monitoring system. In particular, it relates to analyzing a metric stream by applying an ensemble analytical rule. After analysis of the metric stream by applying the ensemble analytical rule, quantized results are fed back for expert analysis. Then, one or more type I or type II errors are identified in the quantized results, and one or more of the parameters of the operators are automatically adjusted to correct the identified errors. The metric stream is further analyzed by applying the ensemble analytical rule with the automatically adjusted parameters.