In one embodiment, a networking device in a network detects an traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.

In one embodiment, a networking device in a network detects an traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.

A method includes intercepting a first data packet being transmitted from a domain name system (DNS) server to a first client device, the first data packet being a DNS response, extracting a first internet protocol (IP) address and a first hostname from the first data packet, and storing the first IP address and the first hostname in a first entry of an identification table.

A method includes intercepting a first data packet being transmitted from a domain name system (DNS) server to a first client device, the first data packet being a DNS response, extracting a first internet protocol (IP) address and a first hostname from the first data packet, and storing the first IP address and the first hostname in a first entry of an identification table.

In an embodiment, a computer implemented method receives flow data for a network flows. The method extracts a tuple from the flow data and calculates long-term and short-term trends based at least in part on the tuple. The long-term and short-term trends are compared to determine whether a potential network anomaly exists. If a potential network anomaly does exist, the method initiates a heavy hitter detection algorithm. The method forms a low-complexity intermediate stage of processing that enables a high-complexity heavy hitter detection algorithm to execute when heavy hitters are likely to be detected.

The disclosed embodiments are directed toward monitoring and classifying encrypted network traffic. In one embodiment, a method is disclosed comprising intercepting an encrypted network request, the network request transmitted by a client device to a network endpoint; identifying a network service associated with the network endpoint based on unencrypted properties of the encrypted network request; identifying, based on the encrypted network request and a series of subsequent network requests issued by the client device, an action taken by the client device, the action comprising an activity performed during a session established with the network service; and updating a catalog of network interactions using the network service and the action.

The disclosed embodiments are directed toward monitoring and classifying encrypted network traffic. In one embodiment, a method is disclosed comprising intercepting an encrypted network request, the network request transmitted by a client device to a network endpoint; identifying a network service associated with the network endpoint based on unencrypted properties of the encrypted network request; identifying, based on the encrypted network request and a series of subsequent network requests issued by the client device, an action taken by the client device, the action comprising an activity performed during a session established with the network service; and updating a catalog of network interactions using the network service and the action.

A collection device (10) collects traffic from a core network (10N) connected to a plurality of operator networks (20N). Further, an analysis device has a plurality of functions of analyzing traffic. Further, a setting device sets a scenario that designates at least one of the plurality of functions. Further, a pre-processing device converts the traffic collected by the collection device (10) to traffic of a format suitable for the function designated by the scenario. Further, a distribution device distributes the traffic converted by the pre-processing device to a designated function.

A network monitoring device may receive flow-tap information that identifies a traffic flow characteristic and a signed URL associated with a signed URL platform from a mediation device. The network device may map the traffic flow characteristic to the signed URL in an entry of a flow-tap filter that is maintained within a data structure of the network device. The network device may analyze, using the flow-tap filter, network traffic of the network to detect a traffic flow that is associated with the traffic flow characteristic. The network device may generate, based on detecting the traffic flow in the network traffic, a traffic flow copy that is associated with the traffic flow. The network device may provide, based on the signed URL, the traffic flow copy to the signed URL platform, wherein the traffic flow copy is to be accessible to an authorized user device via the signed URL.

A network monitoring device may receive flow-tap information that identifies a traffic flow characteristic and a signed URL associated with a signed URL platform from a mediation device. The network device may map the traffic flow characteristic to the signed URL in an entry of a flow-tap filter that is maintained within a data structure of the network device. The network device may analyze, using the flow-tap filter, network traffic of the network to detect a traffic flow that is associated with the traffic flow characteristic. The network device may generate, based on detecting the traffic flow in the network traffic, a traffic flow copy that is associated with the traffic flow. The network device may provide, based on the signed URL, the traffic flow copy to the signed URL platform, wherein the traffic flow copy is to be accessible to an authorized user device via the signed URL.