US Pat. No. 9,750,135

DUAL FACED ATCA BACKPLANE

NetScout Systems Texas, L...

1. A system compatible for use with an Advanced Telecommunications Computing Architecture (ATCA) comprising:
a chassis comprising:
a first plurality of slots for receiving ATCA circuit boards;
a second plurality of slots for receiving circuit boards; and
a midplane having a front surface and a back surface, the midplane extending between the first plurality of slots and the
second plurality of slots, the midplane having a first plurality of connectors affixed to the front surface and having a second
plurality of connectors affixed to the back surface, each connector of the first and second plurality of connectors arranged
to accept a circuit board and used for data transport,

wherein the midplane forms an interconnection scheme such that one of the first plurality of slots is directly and operatively
connected to one of the second plurality of slots, such that the first plurality of connectors and the second plurality of
connectors access the midplane in a same substantially vertical column, and wherein the one of the first plurality of slots
and the one of the second plurality of slots extend in opposite directions from their respective connections on the midplane,

wherein the midplane is used for data transport between connectors of the second plurality of connectors and for data transport
between a connector of the first plurality of connectors and a connector of the second plurality of connectors when, of the
ATCA circuit boards and the circuit boards received by the first and second plurality of slots, only at least a portion of
the circuit boards received by the second plurality of slots include a switch fabric that is coupled to the midplane, and

wherein the first plurality of connectors comprises two first connectors and wherein the second plurality of connectors comprises
three second connectors, the two first connectors and three second connectors are configured to use a substantially similar
portion of the midplane as a standard ATCA configuration.

US Pat. No. 9,479,951

SELECTIVE REAL-TIME GTP SESSION TRACKING USING DISTRIBUTED PROCESSING TECHNIQUES

NetScout Systems Texas, L...

1. A method for real-time network monitoring, comprising:
monitoring, via a lightweight session tracking module of a network monitoring device, control plane data for connectivity
sessions of User Equipment (UE) in a communication network, each of the connectivity sessions comprises General Packet Radio
Service (GPRS) Tunneling Protocol (GTP) session, wherein the monitoring connectivity sessions comprises monitoring GTP protocol
control plane message traffic between network interfaces of a plurality of network nodes in the communication network, the
plurality of nodes comprises at least one of an Evolved Node B (eNB), a Mobility Management Entity (MME) node, a Serving Gateway
(SGW) node, a Packet data Network Gateway (PGW) node, and a Serving General Packet Radio Service (GPRS) Support Node (SGSN);

selectively identifying, via the lightweight session tracking module, at least one bearer for a corresponding connectivity
session according to one or more control plane attributes;

associating, via the lightweight session tracking module, each selectively identified bearer for the corresponding connectivity
session with a bearer routing rule for user plane data;

receiving, via a packet routing module of the network monitoring device, user plane data for connectivity sessions of UE and
associating a correlation identifier with the received user plane data; and

transmitting, via the packet routing module, the correlation identifier and the user plane data of the connectivity sessions
according to the bearer routing rule of the lightweight session tracking module to a flow processing module for subsequent
data flow analysis.

US Pat. No. 9,621,607

SYSTEMS AND LANGUAGES FOR MEDIA POLICY DECISION AND CONTROL AND METHODS FOR USE THEREWITH

NetScout Systems Texas, L...

1. A system for use in a network, the system configured to:
store a plurality of media-centric policies in a policy repository, the policy repository comprising a rules engine for evaluating
policy rules, wherein the policy repository is part of a media policy decision and control point, implemented via one or more
processors coupled to one or more memory elements, that provides streaming media in a plurality of media sessions between
a media source and a corresponding plurality of client devices,

wherein the media policy decision and control point comprises a media policy enforcement point that forwards data packets
associated with data sessions of each client device to and from an operator network with minimal latency;

execute operational instructions in accordance with a media centric policy language to select a proper subset of the plurality
of media-centric policies corresponding to one of the plurality of media sessions,

wherein the media-centric policy language expresses at least one of: operator preferences, operator goals, or operator constraints,
the media centric policy language being a rule-based language that facilitates media-centric policy decision and enforcement
based on a plurality of attribute types, wherein each attribute type has a corresponding plurality of attributes, the plurality
of attribute types including: a subscriber attribute type, a device attribute type, an application attribute type, and a flow-based
attribute type,

the plurality of attributes corresponding to the subscriber attribute type include at least one of: a subscriber identifier,
a time-based subscriber quota, a volume-based subscriber quota, a subscriber data plan, a subscriber tier, or a subscriber
group,

the plurality of attributes corresponding to the device attribute type include at least one of: a device display size, a device
display resolution, a device type, a device operating system, a browser identifier, a user agent, or a media player identifier,

the plurality of attributes corresponding to the application attribute type include at least one of: a media site, a media
service, a content data network, an edge server, an origin server, a container format, a container encryption status, or a
streaming protocol type,

the plurality of attributes corresponding to the flow-based attribute type include at least one of: a VLAN identifier, an
IP address, a port number, a transport protocol, a VPN tunnel, a TOS value, or a DSCP value; and

enforce by the media policy enforcement point the selected media-centric policies to control the one of the plurality of media
sessions based on the attributes.

US Pat. No. 9,479,413

METHODS AND POLICIES TO SUPPORT A QUALITY-OF-STORAGE NETWORK

Netscout Systems Texas, L...

1. A method for managing data in a Quality-of-Storage (QoSt) network comprising a plurality of nodes, the method comprising:
receiving current QoSt network topology information;
receiving, at a data storage interface of the QoSt network, a plurality of data streams from a plurality of applications;
performing differentiated treatment upon the received data streams in the data storage interface contingent upon at least
different types of data in said received data streams based on one or more QoSt attributes, the QoSt attributes being received
independently of the plurality of applications; and

performing a plurality of data management operations on the data in the received data streams based on the data storage interface
and based on said current QoSt network topology information.

US Pat. No. 9,485,298

DEVICE WITH VIDEO BUFFER MODELING AND METHODS FOR USE THEREWITH

NetScout Systems Texas, L...

1. A device for use in a system that analyzes media session data communicated via a network between a media server and a media
client, the device comprising:
processing hardware that is separate from the media server and the media client and that includes:
a frame data analyzer that generates estimated buffer increment data based on frame data sent from the media server to the
media client and further based on acknowledgement data sent from the media client to the media server;

a playback data generator that generates estimated playback data based on estimated frame data buffer contents that includes
the estimated buffer increment data and further based on estimated player state data that indicates an estimated state of
a plurality of possible player states that include an estimated playback state that corresponds to estimated playback by the
media client and an estimated stall state where the media client is estimated to be re-initializing;

frame buffer model generator, coupled to the frame data analyzer and the playback data generator, that generates an estimated
buffer fullness indicator, based on the estimated buffer increment data and the estimated playback data;

a player state generator, coupled to the frame buffer model generator, that generates the estimated player state data including
the estimated playback state that corresponds to the estimated playback by the media client and the estimated stall state
where the media client is estimated to be re-initializing, based on the estimated buffer fullness indicator and further based
on media client data indicating buffer depth, without data from the media client that indicates an actual amount of frame
data stored in a buffer of the media client, an actual playback state of the media client and an actual stall state of the
media client; and

a key performance indicator (KPI) report generator coupled to the frame buffer model generator and the player state generator,
that generates a report that includes KPI report data generated based on the estimated buffer fullness indicator and the estimated
player state data.

US Pat. No. 9,686,675

SYSTEMS, METHODS AND DEVICES FOR DERIVING SUBSCRIBER AND DEVICE IDENTIFIERS IN A COMMUNICATION NETWORK

NETSCOUT SYSTEMS TEXAS, L...

1. A method for subscriber mapping in a communication network in real time continuously, comprising:
receiving, by a network monitoring node(s), one or more data messages regarding User Equipment (UE) from one or more network
interfaces for a communication session in the communication network;

determining, by the network monitoring node, a subscriber identification (ID) associated with the UE from the one or more
data messages regarding the UE;

determining, by the network monitoring node, an equipment identification (ID) associated with the UE from the one or more
data messages regarding the UE;

receiving, by the network monitoring node, a base-key associated with the UE from the one or more data messages regarding
the UE;

deriving, by the network monitoring node, a Non-Access Stratum Encryption (KNASenc) Key and a Non-Access Stratum Integrity Protection (KNASint) Key;

decrypting, by the network monitoring node, a temporary ID associated with the UE from the one or more data messages regarding
the UE based on both the KNASenc and KNASint Keys;

mapping, by the network monitoring node, the temporary ID with the subscriber ID for the UE, and the subscriber ID with the
equipment ID for the UE;

assigning, by the network monitoring node, data messages for the communication session to the UE based on the mapping; and
assigning, by the network monitoring node, the subscriber ID and the equipment ID to further communication sessions associated
with the UE.

US Pat. No. 9,749,382

SYSTEMS FOR MEDIA POLICY DECISION AND CONTROL AND METHODS FOR USE THEREWITH

NetScout Systems Texas, L...

1. A system for use in a network connected to the Internet that provides streaming media in a plurality of media sessions
between a media source connected to the Internet and a corresponding plurality of client devices connected to network, the
system comprising:
at least one computer processor;
at least one network interface under the control of the at least one computer processor; and
at least one memory, comprising:
computer-executable instructions for implementing a policy repository, wherein the instructions for implementing the policy
repository, when executed by the at least one computer processor, cause the at least one computer processor to store a plurality
of media-centric policies;

computer-executable instructions for implementing a media policy decision point, coupled to the network and the policy repository,
wherein the instructions for implementing the media policy decision point, when executed by the at least one computer processor,
cause the at least one computer processor to:

receive media session data corresponding to one of the plurality of media sessions;
determine a plurality of media session and non-media session attributes, based on the media session data;
evaluate a plurality of media-centric policies;
determine, based on evaluation of the plurality of media-centric policies, a proper subset of the plurality of media-centric
policies that apply to the one of the plurality of media sessions, wherein each of the plurality of media-centric policies
include a rule that includes a logical expression that defines when the rule is satisfied and an action, associated with the
rule; and

distinguish between attributes of the plurality of media session attributes that include a plurality of session-static attributes
versus attributes of the plurality of media session attributes that include a plurality of session-dynamic attributes; and

computer-executable instructions for implementing a media policy enforcement point, coupled to the network and to the media
policy decision point, wherein the instructions for implementing the media policy enforcement point, when executed by the
at least one computer processor, cause the at least one computer processor to enforce the proper subset of the plurality of
media-centric policies to control the one of the plurality of media sessions based on changes in the at least one of the media
session attributes and the outcome of the distinguishing between the attributes.

US Pat. No. 9,747,361

SYSTEM AND METHOD FOR GROUPING AN UNBOUNDED DATASET INTO GROUPS THAT CAN BE SUBSEQUENTLY BINNED

NetScout Systems Texas, L...

1. A computer system to group a data set, comprising:
a memory configured to store instructions;
a processor disposed in communication with said memory, wherein said processor upon execution of the instructions is configured
to:

access a data set including a plurality of data elements; and
associate the plurality of data elements with a plurality of data groups, the data set being assignable to a plurality of
bins that are grouped differently than the plurality of data groups, assignment of the data set to the plurality of bins being
performed by accessing the plurality of data groups without accessing the data set or the plurality of data elements, and
accessing each of the plurality of data elements in the data set a single time such that for each data element accessed, associating
the data element to a selected data group of the plurality of data groups based on whether a value associated with the data
element is inclusively between minimum and maximum values associated with the selected data group.

US Pat. No. 10,108,672

STREAM-BASED OBJECT STORAGE SOLUTION FOR REAL-TIME APPLICATIONS

NETSCOUT SYSTEMS TEXAS, L...

1. A stream based storage system that enables optimal handling of storage for a variable number of data streams having variable capacity, the stream based storage system comprising:a plurality of physical storage volumes configured to store data in a distributed manner, each of the plurality of storage volumes having a corresponding throughput limitation;
a plurality of storage nodes configured to provide storage and retrieval of at least a time-based portion of one or more data streams in response to a receipt of a data storage/retrieval request associated with the one or more data streams and configured to manage the plurality of physical storage volumes, each of the one or more data streams comprising a plurality of time-ordered items, each of the plurality of time-ordered items belonging to one of a plurality of item types, wherein, in response to a receipt of a data storage request, the stream based storage system is configured to decompose the one or more data streams associated with the data storage request into a plurality of substreams having a corresponding throughput limitation so that the plurality of storage volumes stores the plurality of substreams based on the corresponding throughput limitations; and
a plurality of applications communicatively coupled to the plurality of storage nodes, the plurality of applications providing a user interface to issue said data storage/retrieval request associated with the one or more data streams,
wherein treatment of the one or more data streams is determined by a set of user-configurable rules specifying data classification and filtering criteria and wherein the set of user-configurable rules includes at least a data security class indicative of a required security level for a corresponding data stream.

US Pat. No. 9,929,930

REDUCING AN AMOUNT OF CAPTURED NETWORK TRAFFIC DATA TO ANALYZE

NetScout Systems Texas, L...

1. A communication network monitoring system comprising:a plurality of probes coupled to respective locations of a communication network, each of the probes including programmable instructions configured to execute on a processing device, the probes being configured to:
capture network data from network traffic of the communication network;
detect by lightweight analysis performed by a first probe of the plurality of probes a data packet of the captured network data that includes information related to a transactional procedure failure transacted by an end-user device;
determine, by the first probe, an identity of the end-user device;
share the identity of the end-user device with other probes of the plurality of probes;
add the end-user device's identity to respective whitelists associated with the probes of the plurality of probes; and
perform, for end-user identities included in the respective whitelists, detailed analysis of network data associated with the end-user identities captured during a predetermined time period.

US Pat. No. 9,942,133

FULLY CONNECTED NETWORK

NetScout Systems Texas, L...

1. A fully-connected mesh network comprising:a plurality of switches, a first switch of the plurality of switches receiving a packet traveling through the mesh network from a source node to a destination node specified by the packet, the source node and destination node being external to the mesh network; and
a plurality of links coupling each possible pair of the switches by a respective single link, wherein the plurality of links are all included in a mesh link aggregation group (LAG), each of the respective links is included individually in an individual LAG, each of the switches is configured to receive a packet from another switch of the plurality of switches via only the mesh LAG, and each switch that receives a packet via the mesh LAG is configured to transmit the packet to another switch of the plurality of switches via only one of the individual LAGs, wherein the packet travels to the destination node at most two hops across the plurality of switches and wherein the packet is transmitted from the second switch of the plurality of switches to a third switch of the plurality of switches via one of the individual lags, the third switch being determined using layer 2 and 2.5 information in the packet representing the destination node, the packet being transmitted to the destination node from the third switch.

US Pat. No. 9,929,908

METHOD AND SYSTEM FOR OPTIMIZING A COMMUNICATION NETWORK FEATURE PRIOR TO IMPLEMENTING A NEW SERVICE

NetScout Systems Texas, L...

1. A method of optimizing a feature of a communication network, the method comprising:assigning, by a processor, a plurality of network nodes in the communication network to a network cluster;
determining, by the processor, at least one first key performance indicator (KPI) value for data exchanged between the network nodes in the network cluster, wherein the data is associated with a first communication service and wherein the first communication service is different from a Voice over Long Term Evolution (VoLTE) service;
injecting second communication service traffic comprising VoLTE service traffic, prior to implementation of a second communication service, wherein the injected traffic is injected into the communication network exclusively for the purpose of testing performance of the second communication service within the communication network prior to implementation of the second communication service;
determining, by the processor, at least one second KPI value for the injected second communication service traffic;
determining, by the processor, a need for an optimization of a feature of the communication network in response to the second KPI value being outside of a pre-determined range; and
optimizing the feature determined needed for optimization wherein the optimization includes one of a handover parameter, an X2 parameter, an S1 parameter, a link level parameter, a system level parameter, Radio Resource Control (RRC) rejects and timeouts to achieve a certain second KPI value for the network.

US Pat. No. 10,015,309

CONDITIONAL TWO STAGE DISTRIBUTED CORRELATION OF CP-UP FOR IMS PROTOCOLS

NetScout Systems Texas, L...

1. A network monitoring system for monitoring calls in a VoLTE network, the calls having session initiation protocol (SIP), real time protocol (RTP) and H.248 portions, the network monitoring system comprising:one or more monitoring probes, executed by one or more processors, coupled to network interfaces and placed at different monitoring points and first correlation processor and second correlation processor, the one or more monitoring probes configured to capture data packets from the network interfaces, the data packets associated with messages exchanged between network nodes, the one or more monitoring probes further configured to:
generate SIP data records, RTP data records and H.248 data records by monitoring the SIP, RTP and H.248 portions of the calls in the VoLTE network;
for each generated SIP data record:
send the generated SIP data record to the second correlation processor based on a distribution key;
generate a routing label, wherein the routing label includes at least the distribution key, a first attribute and a second attribute; and
send the generated routing label to the first correlation processor;
for each generated H.248 data record and generated RTP data record:
send the generated H.248 data record and the generated RTP data record to the first correlation processor based on the first and the second attributes, respectively;
the first correlation processor configured to:
correlate received RTP data records and the generated routing label for each generated SIP record based on the second attribute;
correlate received H.248 data records and the generated routing label for each generated SIP data record based on the first attribute;
insert the distribution key into the correlated RTP and H.248 data records; and
send the correlated RTP data records and the correlated H.248 data records to the second correlation processor based on the distribution key; and
the second correlation processor configured to:
bind the generated SIP data records with the correlated RTP data records and with the correlated H.248 data records to a single call based on the distribution key.

US Pat. No. 10,075,349

SYSTEMS AND METHODS FOR MODELING QUALITY OF SERVICE FOR STREAMING MEDIA

NetScout Systems Texas, L...

1. A computer system comprising:a monitoring device coupled to a network, wherein the monitoring device includes:
a memory configured to store instructions; and
at least one computer processor disposed in communication with the memory, wherein the at least one computer processor upon execution of the instructions is configured to:
monitor a media program streaming across the network to a media client for perceivable transmission impairments; and
provide a model to reflect user dissatisfaction based on types of perceivable transmission impairments and timing, duration, and frequency of perceivable transmission impairments to estimate a quality of experience of the media program, the model implements a parametric function providing a behavioral model of a user that reflects user satisfaction decreases during perceivable transmission impairments and increases frequency of perceivable transmission impairments to estimate a quality of experience of the media program, the model implements a parametric function providing a behavioral model of a user that reflects user satisfaction decreases during perceivable transmission impairments and increases during uninterrupted playback as a function of time, wherein the parameterized function comprises a piecewise function having a plurality of subfunctions and the model transitions through the plurality of subfunctions based on one or more thresholds defined by at least one parameter of a set of parameters including a cosine subfunction and linear subfunction, wherein the model further reflects a user expectation context for streaming the media program, the user expectation context comprising a duration of the media program and at least one of: a device type of the media client, a network connection type of the network; and a service type associated with the media program.

US Pat. No. 9,967,164

METHODS AND DEVICES TO EFFICIENTLY DETERMINE NODE DELAY IN A COMMUNICATION NETWORK

NetScout Systems Texas, L...

1. A method for measuring delay in a communication network, comprising:monitoring, by a network monitoring node, at least one tap point corresponding to a network interface between User Equipment (UE) and one or more additional nodes in the communication network, wherein the at least one tap point comprises at least a first tap point and a second tap point, the first tap point and the second tap point corresponding to first and second network nodes of the additional nodes, wherein the first tap point includes a first tap location at an ingress side of the first network node and a second tap location at an egress side of the first network node, and the second tap point includes a third tap location at an ingress side of the second network node and a fourth tap location at an egress side of the second network node;
detecting, by the network monitoring node, one or more transactions at the at least one tap point corresponding to the network interface, each transaction including request data and response data;
classifying, by the network monitoring node, each transaction detected at the respective at least one tap point as an ingress or egress transaction relative to the node that corresponds to the tap point;
determining, by the network monitoring node, a time associated with the request data and a time associated with the response data for each transaction as classified;
determining, by the network monitoring node, a delay time for each transaction as classified, for each of the ingress and egress side of the at least one tap point by a difference between the time associated with the request data and the time associated with the response data;
assigning, by the network monitoring node, the delay time for each transaction as classified, for each of the ingress and egress side of the at least one tap point to one or more predefined time ranges;
incrementing, by the network monitoring node, a count corresponding to the one or more predefined time ranges when the delay time is assigned;
comparing, by the network monitoring node, the delay time for each transaction as classified at the first tap point to the delay time for each transaction as classified at the second tap point to determine that a particular network node of the first and second network nodes has an issue associated with an excessive delay; and
indicating, by the network monitoring node, the issue to a network operator, responsive to detecting the issue.

US Pat. No. 10,009,247

STREAMING VIDEO MONITORING USING CDN DATA FEEDS

NETSCOUT SYSTEMS TEXAS, L...

1. A method for monitoring streaming video content, the method comprising:registering, by a processor, first and second software probes with respective first and second Content Delivery Network (CDN) servers of a plurality of CDN servers, the registration indicating that the first and second software probes are assigned to collect trace information related to a Video on Demand (VoD) session from the respective first and second CDN servers during a streaming VoD session,
wherein the first and second CDN servers each store VoD content, and wherein a client device initiated the streaming VoD session by requesting the VoD content from one of the first or second CDN server, and client device's request includes identification of the client device and identification of at least one of the VoD content and a storage location of the VoD content being streamed by the corresponding one of the first or second CDN server;
receiving, monitoring and analyzing, by the processor, the trace information collected by the first and second software probes during the streaming VoD session;
determining, by the processor, the trace information collected by the first and second software probes belonging to the same streaming VoD session based on the identification of the client device and identification of at least one of the VoD content and a storage location of the VoD content being streamed by the corresponding first or second CDN server;
generating, by the processor, a first VoD session record that includes the trace information collected by the first and second software probes that were determined to belong to the same streaming VoD session;
receiving, by the processor, packet core network (PCN) signaling data collected by at least a third and fourth PCN software probe deployed in a PCN, the PCN signaling data including messages that identify the client device and URI information associated with the requested VoD content;
monitoring and analyzing, by the processor, the PCN signaling data;
determining, by the processor, the PCN signaling data belonging to the streaming VoD session based at least on a streaming protocol used, identification of the client device, and URI information associated with the requested VoD content, wherein the PCN signaling data determined to belong to the streaming VoD session is provided by multiple CDN servers of the plurality of CDN servers;
generating, by the processor, a second VoD session record that includes the PCN signaling data sent over the PCN and collected by the one or more PCN software probes that were determined to belong to the streaming VoD session;
correlating, by the processor, the first and second VoD session records using information included in the first and second VoD session records including identification of at least one of the client device and URI information associated with the requested VoD content; and
generating, by the processor, a third session record that is based on and includes the correlated first and second VoD session records.

US Pat. No. 10,104,561

SIGNALING MESSAGE CORRELATION IN LTE ACCESS AND CORE NETWORKS

NETSCOUT SYSTEMS TEXAS, L...

1. A computer implemented method for correlating data packets across a core and access network in a telecommunications network by a network monitoring device having a protocol analyzer coupled to the network, comprising:correlating signaling packets from Uu and X2 interfaces in the access network and S1AP packets on an S1-MME interface in the core network via utilizing unique correlation IDs provided by Trace Port functions on the eNodeBs wherein signaling packets on the Uu and X2 interfaces, and the S1AP packets for a session, carry a same correlation ID;
creating an access session when a signaling packet with a new correlation ID is detected, and when a S1AP packet is detected, message type is processed to determine if it contains Information Elements (IEs) eNB-ID, MME-UE-ID and eNB-UE-ID so as to extract the IEs wherein IE extraction is performed once for an access session on one S1AP packet such that after IE extraction, no S1AP packets are further processed and all S1AP packets are dropped for an access session;
processing the S1AP packet to extract the IEs and generating an identification attribute eNodeBCallID from the extracted IEs;
integrating the generated eNodeBCallID identification attribute to the access session that has the same correlation ID as the S1AP packet;
generating the identification attribute eNodeBCallID from Information Elements (IEs) in S1AP packets present in the core network when processing a core session, in response to determining that the processed S1AP packet contains each of the eNB-ID, the MME-UE-ID and the eNB-UE-ID IEs wherein the identification attribute is formatted as an eNodeBCallID identification attribute;
integrating the generated identification attribute to the core session of the core network such that both the access and the core sessions have the same eNodeBCallID identification attribute; and
correlating data packets between the access and core session by comparing if a core session contains the same identification attribute as that of an access session and if there is time overlap of the two sessions, wherein access and core sessions are correlated by comparing generated eNodeBCallID identification attribute and corresponding time stamps.

US Pat. No. 10,425,913

AUTOMATED EQUIPMENT CHARACTERIZATION FROM WIRELESS NETWORK DATA

Netscout Systems Texas, L...

1. A computer system for detecting a faulty behavior of a user equipment (UE) in a telecommunication network, the computer system comprising one or more processors, one or more computer-readable storage devices, and a plurality of program instructions stored on at least one of the one or more storage devices for execution by at least one of the one or more processors, the plurality of program instructions comprising:program instructions to receive and correlate Protocol Data Units (PDU) and data packets from a Radio Access Network (RAN) and network interfaces to determine a trouble report associated with the first UE, wherein the received trouble report includes information uniquely identifying the first UE and includes indications of trouble affecting the first UE;
program instructions to establish one or more geographic locations for each communication session associated with the first UE for a predetermined period of time based on the received trouble report;
program instructions to compare one or more performance metrics associated with the first UE with one or more performance metrics associated with a plurality of UEs, wherein each of the plurality of UEs handled one or more communication sessions at the established one or more geographic locations during the predetermined period of time;
program instructions to characterize the first UE as defective responsive to a determination that the one or more performance metrics associated with the first UE indicate poor performance while the one or more performance metrics associated with the plurality of UEs fall within a pre-defined range of normal operation of UEs or characterize the first UE as unimpaired and characterize the trouble affecting the first UE as a network trouble responsive to a determination that the one or more performance metrics associated with the first UE and the one or more performance metrics associated with the plurality of UEs indicate poor performance; and
program instructions to apply iterative root cause analysis of a knowledge model having a plurality of inference rules to provide a corrective action to resolve the trouble affecting the first UE.

US Pat. No. 10,282,446

DYNAMIC SELECTION OF SOURCE TABLE FOR DB ROLLUP AGGREGATION AND QUERY REWRITE BASED ON MODEL DRIVEN DEFINITIONS AND CARDINALITY ESTIMATES

NetScout Systems Texas, L...

1. A method for optimizing data access in a data warehouse having a model driven architecture, the method comprising:receiving an Object Management Group (OMG) data model for storing time series measurement data representing a plurality of dimensions and measurements, the OMG data model having one or more aggregation tables, and wherein the OMG data model defines at least one of one or more fact tables, one or more dimension tables, and one or more aggregation rules defining data rollup aggregations in the one or more aggregation tables;
receiving a query from a user, the query having one or more predicates, wherein the one or more predicates include data to limit a data set against which conditions are to be evaluated and wherein the one or more predicates include at least one of user identity, user group identity, identity of devices operating in a predefined geographic area, identity of devices experiencing specific operating environments above or below a predefined threshold for a predefined period of time;
identifying one or more candidate optimization sources, wherein the one or more candidate optimization sources comprise one or more aggregation tables;
determining, by the processor, cardinality for each dimension stored in each of the one or more identified candidate optimization sources;
determining, by the processor, a degree of data rollup for each of the one or more identified candidate optimization sources;
generating an optimization score for each of the one or more identified candidate optimization sources based, at least in part, on the determined cardinality and the determined degree of data rollup;
selecting, by the processor, one candidate optimization source from the one or more identified candidate optimization sources based on the generated optimization score; and
optimizing, by the processor, the received query using the one or more aggregation tables, in response to selecting the one candidate optimization source.

US Pat. No. 10,284,650

METHOD AND SYSTEM FOR DYNAMIC HANDLING IN REAL TIME OF DATA STREAMS WITH VARIABLE AND UNPREDICTABLE BEHAVIOR

NetScout Systems Texas, L...

1. A master controller device for supervising data stream storage, comprising:a plurality of storage node units;
at least one Data Repository Unit controller device;
at least one probe control unit; and
at least one processing device, the processing device configured to execute programmable software instructions to perform operations including:
communicating with at least one probe that captures network data and outputs the captured network data as a plurality of data streams;
receiving from the at least one probe registration data associated with respective data streams, the registration data including identification of the associated probes that output the respective data streams;
selecting at least one data repository unit of the plurality of data repository units to store the first data stream in real time based on a capacity of the plurality of data repository units to receive and store data;
determining that capacity is not sufficient for the data stream in response to a change in the capacity of the plurality of data repository units to receive and store data;
determining a corrective action in response to the determination that the capacity is not sufficient; and
notifying the probe identified in association with the first data stream about the corrective action and implementing the corrective action in the identified probe.

US Pat. No. 9,125,046

SUBSCRIBER ACTIVITY MAP

NetScout Systems, Inc., ...

1. A computer based method for generating an activity map, the method comprising:
monitoring device activity of a user device connected to a network over a period of time;
generating an activity indicator bar including a description of the device activity of the user device in a plurality of time
periods, each of the time periods of the plurality shorter than the period of time;

receiving a selection of one or more of the plurality of time periods;
displaying the activity map simultaneously with the activity indicator bar, the activity map comprising:
a row in a first direction displaying the selected one or more time periods of the plurality in a first direction of the activity
map;

a summary row in the first direction for displaying activities that occurred in at least one of the selected one or more time
periods of the plurality;

a column displaying (1) a plurality of time intervals and (2) descriptions of parameters associated with each of the plurality
of time intervals, the column in a second direction of the activity map, the plurality of time intervals within the selected
one or more time periods of the plurality, each of the time intervals shorter in length than each of the selected one or more
time periods of the plurality and, wherein the descriptions of parameters include at least one of:

identification of a network interface over which data has been transmitted, identification of a geographic region in which
the user device is located, and an indication of two or more access point names associated with the user device; and

a state indicator displayed within each of the plurality of time intervals, the state indicator corresponding to the device
activity of the user device during each of the plurality of time intervals, wherein device activity indicated by the state
indicator includes at least one of a level of data transmitted by the user device and whether an error occurred during one
of the plurality of time periods.

US Pat. No. 10,306,490

MULTI KPI CORRELATION IN WIRELESS PROTOCOLS

NetScout Systems texas, L...

1. A network monitoring system, the system comprising:a processor;
a memory coupled to the processor;
a database including a plurality of key performance indicator (KPI) records for monitoring a wireless communication system, wherein the plurality of KPI records corresponds to a plurality of different protocols;
a rules engine configured and operable to store in the memory KPI rules associated with at least one rule set; and
an analysis engine configured and operable to:
identify, using the processor, one or more root causes of a failure for one or more of the transactions based on at least one KPI rule in the at least one rule set, wherein the at least one KPI rule correlates at least two of the plurality of KPI records across the plurality of different protocols and multiple interfaces;
generate a threshold excess score for each of the at least two of the plurality of KPI records, the threshold excess score indicating a number of detected failures exceeding a predefined threshold;
assign each generated threshold excess score a corresponding weight value to determine a weighted threshold excess score;
generate a KPI score for each of the one or more identified root causes based on a sum of all weighted threshold excess scores associated with the at least two of the plurality of KPI records; and
generate a probability score value for each root cause of the one or more identified root causes based on the generated KPI scores, the probability score comprising a ratio of the KPI score corresponding to the root cause to sum of all KPI scores of all of the one or more identified root causes.

US Pat. No. 10,310,749

SYSTEM AND METHOD FOR PREDICTING DISK FAILURE

NetScout Systems Texas, L...

1. A computer implemented method for predicting failure of a disk in a digital storage system configured to store digital data, comprising:receiving user selection of one or more disk failure factors;
receiving health status data obtained from monitoring the disk;
identifying data included in the health status data that corresponds to the user selection of one or more disk failure factors; and
determining a total failure value for the disk indicative of predicted risk of failure, using the identified data and based on a three dimensional matrix for determining bin failure weights wherein the matrix is defined by separate first, second and third two-dimensional tables, the matrix including includes a disk failure factor along a first axis, bins along a second axis and an umbrella failure factor along a third axis, wherein the first two-dimensional table includes bin failure weights entered corresponding to disk failure factors versus bins, the second two-dimensional table includes bin failure weights entered corresponding to bin weights using umbrella failure factors versus disk failure factors and the third two-dimensional table includes bin failure weights corresponding to umbrella factors versus bins, and wherein the total failure value is determined based on empirical data associated with the selected one or more disk failure factors.

US Pat. No. 9,185,014

REAL-TIME ADAPTIVE PROCESSING OF NETWORK DATA PACKETS FOR ANALYSIS

NetScout Systems, Inc., ...

1. A method for processing network data for analysis, comprising:
receiving data packets by a network monitoring device at a location in a network;
determining a session associated with the received data packets;
generating a common header summarizing information in headers of a plurality of data packets in the session by the network
monitoring device;

generating a unit of payload metadata summarizing information in payloads of the plurality of the data packets in the session
by the network monitoring device;

generating, for each session, a session record including the common header and the payload metadata by the network monitoring
device; and

storing the session record.

US Pat. No. 10,326,640

KNOWLEDGE BASE RADIO AND CORE NETWORK PRESCRIPTIVE ROOT CAUSE ANALYSIS

NetScout Systems Texas, L...

1. A computer system for performing root cause analysis of failures in a telecommunication network including at least a core network and radio access network (RAN), the computer system comprising one or more processors, one or more computer-readable storage devices, and a plurality of program instructions stored on at least one of the one or more storage devices for execution by at least one of the one or more processors, the plurality of program instructions comprising:program instructions to receive information related to one or more failures reported in the telecommunication network;
program instructions to identify one or more network elements associated with the one or more reported network failures;
program instructions to analyze performance and configuration data associated with the one or more identified network elements to identify one or more causes of the one or more reported network failures, wherein if the one or more network elements are components of a core network the analyzed data comprises at least one of Simple Network Management Protocol (SNMP) data, network element's syslog data and Change Management (CM) log data; and
program instructions to perform a root cause analysis of the one or more reported network failures using a knowledge model for each of the one or more identified causes to provide at least one automatic recommendation for resolving the one or more reported network failures, wherein the knowledge model comprises a plurality of predefined inference rules and a statistical inference model, wherein each of the plurality of predefined inference rules associates at least one cause of the one or more reported network failures with at least one recommendation for resolving the one or more reported network failures, and wherein the statistical inference model is configured to estimate relevance of the at least one automatic recommendation provided by the plurality of predefined inference rules based on analyzed historical information related to previously provided recommendations.

US Pat. No. 9,210,419

SYSTEM AND METHOD FOR DIAGNOSTIC MODELING OF AUDIO AND VIDEO QUALITY OF SERVICE

Netscout Systems, Inc., ...

1. A method for determining an objective quality model for quantifying quality of a received signal, the method comprising:
receiving at least one of a transmitted audio signal or a transmitted video signal;
determining a set of diagnostic quality metrics quantifying quality aspects of the received signal, comprising:
determining a first diagnostic quality metric for measuring a reduction in signal quality due to lossy media transmission;
determining a second diagnostic quality metric for measuring a reduction in signal quality due to packet loss concealment;
determining a third diagnostic quality metric for measuring a reduction in signal quality due to playout buffer underflow;
and

wherein the first metric, the second metric, and the third metric are all different and are all provided in the set.

US Pat. No. 10,482,084

OPTIMIZED MERGE-SORTING OF DATA RETRIEVED FROM PARALLEL STORAGE UNITS

NetScout Systems Texas, L...

1. A stream based storage system in a high capacity network, the system comprising:a plurality of storage nodes adapted to provide storage and retrieval of time-based data of one or more data streams in response to a receipt of a time-based data retrieval request associated with the one or nor data streams, each of the one or more data streams comprising a plurality of time-ordered data items having a header comprising two or more timestamps representing a time interval associated with each of the plurality of time-ordered data items;
a plurality of applications providing a user interface to issue the time-based data retrieval request associated with the one or more data streams; and
one or more session managers communicatively coupled to the plurality of applications and to the plurality of storage nodes, the one or more session managers adapted to:
dynamically allocate shared resources between at least some of the plurality of applications submitting simultaneous time-based data retrieval requests;
retrieve data requested by the simultaneous time-based data retrieval requests from one or more of the plurality of storage nodes using timestamp based indexes associated with the one or more data streams in a substantially parallel manner;
merge-sort the retrieved data by time using the timestamp based indexes associated with the one or more data streams;
identify data streams associated with the time-based data retrieval requests;
decompose each of the identified data streams into plurality of stream segments, wherein each of the stream segments represents a contiguous range of bytes that is read from one of the plurality of storage nodes and wherein each of the stream segments has a corresponding time index associated therewith;
combine the time indexes into a plurality of non-overlapping time blocks, wherein the time block is a data structure describing each time range in which one stream segment overlaps another stream segment;
estimate the size of data to request from each of the identified data streams based on an analysis of the non-oyerlapping time blocks; and
transmit the sorted data to the plurality of applications based on a delivery rate controlled by each application associated with each time-based data retrieval request wherein each timestamp based index associates each of the plurality of stream segments with a plurality of time-ordered data items contained within each stream segment and further associates each of the plurality of stream segments with a particular storage file.

US Pat. No. 9,686,157

REAL-TIME ADAPTIVE PROCESSING OF NETWORK DATA PACKETS FOR ANALYSIS

NetScout Systems, Inc., ...

1. A method for processing network data for analysis, comprising:
determining, by a network monitoring device coupled to a computer network, a session associated with data packets received
by a network monitoring device at a location in a network;

generating a common header summarizing information in headers of a plurality of data packets in the session by the network
monitoring device;

generating a unit of payload metadata summarizing information in payloads of the plurality of the data packets in the session
by the network monitoring device; and

generating, for each session, a session record for storing the session record, the session record including the common header
and the payload metadata by the network monitoring device.

US Pat. No. 10,009,254

CALCULATION OF A LOWEST COST PATH

NetScout Systems, Inc., ...

1. A method in a flow controller for automatically selecting an optimal one of a plurality of paths between two ports, the method comprising:identifying, in the flow controller, a plurality of potential paths from a source port to a destination port through a graph representing a network, each of the potential paths including a plurality of vertices and a plurality of edges connecting the plurality of vertices, the plurality of vertices representing a plurality of network nodes and the plurality of edges representing a plurality of network links interconnecting the plurality of network nodes;
assigning edge weights to edges of the plurality of potential paths based on predefined path optimization criteria;
determining, in the flow controller, a cost value for each of the plurality of potential paths based on the assigned edge weights; and
selecting, in the flow controller, one of the plurality of potential flow paths from the source port to the destination port based upon the determined cost value wherein the plurality of network links comprises at least one of cross-switch links and/or backplane links operating either in guaranteed bandwidth mode or aggregated bandwidth mode, and wherein the predefined path optimization criteria includes a number of data transmission hops over a cross-switch link included in a potential path, a number of data transmission hops over a back plane link, bandwidth of an aggregated link included in a potential path and bandwidth of a guaranteed link included in a potential path.

US Pat. No. 9,306,964

USING TRUST PROFILES FOR NETWORK BREACH DETECTION

Netscout Systems, Inc., ...

1. A system comprising:
a network monitor analyzing data packets transmitted through a network;
a trust profile module in communication with the network monitor that includes a trust profile, the trust profile module configured
for:

determining permissible use that includes at least one of:
whether the at least one port transmitting the data packets matches a permissible port identified in the trust profile; and
whether the at least one protocol generating the data packets matches a permissible protocol identified in the trust profile;
determining a set of allowable exceptions to the permissible use including identifying a server and allowing the server to
operate as a client for obtaining software updates from an update server; and

when a communication is determined to be one of a permissible use or an allowable exception, determining whether the communication
is one of a set of acceptable business practices.

US Pat. No. 10,177,964

SYSTEM AND METHOD FOR ACCURATE REPORTING OF FAULT FOR FAILED INTERNET PROTOCOL-BASED CALLS

NetScout Systems, Inc, W...

1. A computer implemented method to identify a call end associated with a problem that caused failure of an internet protocol-based call having first and second call ends, the method comprising:accessing a first call detail record (CDR) set including at least one CDR associated with a first call end of the failed call;
determining from the first CDR set indicators of failure attribution of the failed call;
determining whether fault for failure of the failed call is attributed to the first call end based on the indicators of failure attribution;
outputting an indication that the fault is attributed to the first call end if it was determined that the fault is attributed to the first call end;
outputting the indication to indicate the first call end is acquitted of the fault if it was determined the fault is not attributed to the first call end;
accessing a second CDR set including at least one CDR associated with a second call end of the failed call;
correlating the first and seconds CDR sets as being associated with the failed call;
determining from the second CDR set indicators of failure attribution of the failed call;
determining whether fault is attributed to the first call end or the second call end based on the indicators of failure attribution associated with the first and second CDR sets;
outputting an indication of one of the first and second call ends of the two first and second call ends determined to be attributed with the fault for failure of the failed call; and
outputting an indication to indicate the other of the first and second call ends is acquitted of the fault for failure of the failed call; and
accessing a configurable failure ranking, wherein determining whether the fault is attributed to the first call end or the second call end is further based on relative failure ranking of first and second cause codes included in the indicators of failure attribution.

US Pat. No. 10,601,639

MULTI CAUSE CORRELATION IN WIRELESS PROTOCOLS

NetScout Systems Texas, L...

1. A network monitoring system, the system comprising:a monitoring probe coupled to a wireless network configured to capture packet sessions from the wireless network;
a packet analyzer coupled to the monitoring probe for a analyzing packet session captured from the wireless network by the monitoring probe, the monitoring probe including:
a processor;
a memory coupled to the processor;
a database including session data of one or more transactions in a wireless communication system;
a rule engine configured and operable to store in the memory rules associated with a plurality of rule sets;
determine bandwidth available to packet service sessions and identify real-time bandwidth changes associated with the packet service sessions; and
an analysis engine configured and operable to identify, using the processor:
1) a rule set from the plurality of rule sets based upon a combination of at least two attributes of the packet service sessions selected from the following attributes: physical interface, network protocol, content source and destination identifiers, Access Point Name, interface type, and Quality of Service parameter; and
2) a root cause of a failure for one or more of the transactions based on at least one in the at least one identified rule set and the determined bandwidth available to packet service sessions and identified real-time bandwidth changes associated with the packet service sessions.

US Pat. No. 10,139,543

LIGHT PIPE ARRAY ASSEMBLY FOR A BLADE SERVER

NetScout Systems, Inc., ...

1. A light pipe array assembly comprising:a) a carrier having an elongated platform defining upper and lower horizontal surfaces and a longitudinal axis;
b) a first plurality of light pipes supported on the upper surface of the platform and arranged perpendicular to the longitudinal axis of the platform; and
c) a second plurality of light pipes supported on the lower surface of the platform and arranged perpendicular to the longitudinal axis of the platform in alignment with the first plurality of light pipes, wherein the first and second pluralities of light pipes are optically isolated from each other by the platform of the carrier.

US Pat. No. 10,015,072

CONSOLIDATION OF NETWORK TEST AUTOMATION TOOLS

NetScout Systems, Inc., ...

1. An automated network test system comprising:an integrated network switch connected to a network under test, the network switch comprising:
a first and second plurality of network switch ports;
a physical layer engine coupled to the first plurality of network switch ports;
at least one processor having a plurality of processing cores that can each asynchronously execute a test execution context; and
a test engine having a dynamically configurable impairment injection module, the test engine coupled to the second plurality of network switch ports, the physical layer engine and the at least one processor, the test engine configured for automatic testing of the network under test.

US Pat. No. 9,065,744

PERFORMANCE OPTIMIZED AND CONFIGURABLE STATE BASED HEURISTIC FOR THE CLASSIFICATION OF REAL-TIME TRANSPORT PROTOCOL TRAFFIC

Netscout Systems, Inc., ...

1. A method for classifying network traffic, the method comprising:
receiving a first packet of network traffic on a port;
determining a synchronization source identifier (SSRC) associated with the first packet and a first sequence number associated
with the first packet;

receiving a subsequent packet of network traffic on the port;
determining a synchronization source identifier (SSRC) and a second sequence number associated with the subsequent packet;
determining whether the SSRC associated with the subsequent packet matches the SSRC associated with the first packet;
determining whether the second sequence number associated with the subsequent packet is within a range of sequence number
values, the range defined by (1) a first value greater than the first sequence number and (2) a second value less than the
first sequence number, wherein a first difference between the first sequence number and the first value and a second difference
between the first sequence number the second value are not equal;

calculating an interval time between reception of the first packet and reception of the subsequent packet;
determining whether the interval time is within a range of time values; and
classifying traffic on the port based on whether the SSRC associated with the first packet matches the SSRC associated with
the subsequent packet, the second sequence number associated with the subsequent packet is within the range of sequence number
values, and the interval time is within the range of time values.

US Pat. No. 9,923,808

SYSTEM AND METHOD FOR REAL-TIME LOAD BALANCING OF NETWORK PACKETS

NetScout Systems, Inc., ...

1. A method for routing packets at a packet flow switch, comprising:
receiving at a packet flow switch a packet having a header portion and a payload portion, the packet flow switch in communication
with at least two network probes;

determining whether the received packet is a user plane packet or a control plane packet;
responsive to determining that the received packet is a control plane packet, sending the control plane packet to all of the
at least two probes;

responsive to determining that the received packet is a user plane packet, automatically distributing the user plane packet
to only one of the at least two network probes to automatically balance the monitoring load while sending all user plane packets
associated with a first session instance to the same one of the at least two network probes; and

responsive to identifying that a user plane packet is associated with a new session-instance not already monitored by a network
probe, assigning the user plane packet to one of at least two network probes, the assigning including:

selecting one of the network probes;
saving an identifier of the selected network probe and associating a packet session-instance identifier with the saved identifier
of the selected network probe which includes identifying the session-instance identifier of the received user plane packet
using a value in a payload portion of the packet at a fixed number of bits from a first end of a header portion of the packet;
and

sending the user plane packet to the selected network probe.

US Pat. No. 10,038,632

AIA ENHANCEMENTS TO SUPPORT L2 CONNECTED NETWORKS

NetScout Systems, Inc., ...

1. A method for determining a routing for packets, the method comprising:coupling with one or more inline tool devices and a plurality of networks, two or more of the networks of the plurality of networks having a Layer 2 (L2) connection between the two or more networks of the plurality of networks, the L2 connection providing for communication between the two or more networks of the plurality of networks;
processing an ingress packet received from an ingress inline network port to extract a source Media Access Control (MAC) address and a port identifier associated with the source MAC address;
looking up the extracted source MAC address of the ingress packet in a MAC address table;
forwarding the ingress packet to the one or more inline tool devices;
processing an egress packet received from the one or more inline tool devices to extract at least one of a source MAC address and a destination MAC address;
looking up the extracted source MAC address of the egress packet in the MAC address table;
detecting whether there is an L2 connection based on finding the MAC source address in the MAC address table; and
transmitting the egress packet to an egress inline network port, the egress inline network port being selected based on whether the L2 connection was detected and at least one of the looked up source MAC address and the extracted destination MAC address of the egress packet.

US Pat. No. 9,602,366

SYSTEM AND METHOD FOR CORRECTING CLOCK DISCREPANCY IN SIMULTANEOUS NETWORK TRAFFIC CAPTURES

NetScout Systems, Inc., ...

1. A method for determining clock disparities between a first clock in a first network monitor positioned to capture first
data in a first segment of a network and a second clock in a second network monitor positioned to capture second data in a
second segment of the network, the first and second data transmitted using at least one network transmission protocol, and
the first and second network segments in different tiers of a multi-tiered network system, the method comprising the steps
of:
receiving the first and second data, a packet of the first data traveling through a first network path of the multi-tiered
network system and a packet of the second data traveling through a second network path of the multi-tiered network system
different from the first network path, the traveling through the multiple tiers of the network system including terminating
the packets of the first data and of the second data at a tier of the multi-tier system;

correlating the first and second data into one or more application sessions, wherein data correlated with a first application
session is first application session data that includes packets from both the first data and the second data;

identifying a correct temporal sequence of said first application session data responsive to the at least one network transmission
protocol and restraints of the multi-tiered network architecture, the restraints to which the identifying is responsive including
locations in the multi-tiered network structure of the first and the second network monitors; and

determining the disparity between the first and second clocks by comparing timestamps of said first application session data
with said correct temporal sequence of said first application session data and accounting for the disparity when analyzing
data captured by at least one of said first network monitor and said second network monitor wherein the disparity corresponds
to an offset value and a scaling value wherein said offset value and said scaling value is utilized when analyzing data captured
by at least one of said first network monitor and said second network monitor.

US Pat. No. 10,601,869

SYSTEM AND METHOD TO ESTIMATE QUALITY OF EXPERIENCE FOR CONSUMPTION OF ENCRYPTED MEDIA NETWORK TRAFFIC

NetScout Systems Texas, L...

1. A computer-implemented method to process encrypted network traffic comprising:intercepting, at an encrypted network application protocol layer, network traffic having network traffic flow associated with a subscriber;
determining from the encrypted network application protocol layer in the intercepted network traffic a media service provided to a network subscriber, and encrypted application-layer and payload data of the network traffic providing the media service to the network subscriber;
detecting media traffic within the network traffic providing the media service to the network subscriber;
associating application-layer data of the media traffic to a media session;
determining, at the encrypted network application protocol layer, a key performance indicator (KPI) associated with the media session from the intercepted network traffic; and
outputting report data based on the KPI.

US Pat. No. 10,439,899

SERVICE SUMMARY VIEW

NetScout Systems, Inc., ...

1. A method for reporting service performance statistics in a network, the method comprising steps of:receiving an Adaptive Service Intelligence (ASI) data set related to a monitored service from a plurality of interfaces;
determining a service relationship model associated with a monitored service, the service relationship model comprising one or more service members wherein at least two of the service members are observed for a predefined time period to identify interrelated service members based upon behavior patterns of the observed service members with respect to one or more performance metrics;
analyzing performance of each of the one or more service members using the received ASI data set;
identifying one or more performance metrics for each of the one or more service members, wherein the identified performance metrics are indicative of corresponding service member's performance; and
generating a graphical user interface displaying a graphical representation of the identified performance metrics based on the analysis, the graphical representation providing an aggregated view indicative of performance of the one or more service members.

US Pat. No. 10,122,606

SYSTEM AND METHOD FOR ESTIMATING AN AMOUNT OF ACKNOWLEDGED APPLICATION DATA TRANSMITTED BY ENCRYPTED TRANSPORT

NetScout Systems, Inc., ...

1. A computer implemented method to process bidirectional network traffic having encrypted application data and using an encrypted transport protocol, the method comprising:estimating, by at least one processing device, a size of encrypted application data in respective packets of the bidirectional network traffic, wherein the packets of the bidirectional network traffic are transported in opposing directions;
assigning, by the at least one processing device, timing criteria to the respective application packets transported in the opposing directions that were determined to include a minimum amount of encrypted application data, the timing criteria being based on a time of observation at an observation point of the corresponding application packet;
acknowledging, by the at least one processing device, for the respective packets of the application packets, application packets selected based on the timing criteria assigned to the respective application packets; and
estimating, by the at least one processing device, an amount of encrypted application data transported in at least one of the opposing directions, the estimation of the amount of encrypted application data being based on a sum of the estimated size of the encrypted application data in the respective acknowledged packets transported in the at least one of the opposing directions that were observed during a selected time interval.

US Pat. No. 10,111,147

INTELLIGENT CALL TRACKING TO DETECT DROPS USING S1-AP AND SIP SIGNALING

NetScout Systems, Inc., ...

1. A method for tracking a status of a call in a wireless communication system including an eNodeB and a Mobile Management Entity (MME), the method comprising steps of:receiving, by a processor, a plurality of data packets from the wireless communication system;
analyzing, by a processor, S1-Application Protocol (S1-AP) signaling messages exchanged between the eNodeB and the MME over a first interface for the specified time period and analyzing bearer related events and one or more error codes associated with the bearer related events, the S1-AP signaling messages associated with live calls being made or attempted in the wireless communication system to identify one or more dropped calls;
tracking S1-AP session information corresponding to the analyzed S1-AP messages, wherein each tracked S1-AP session maintains one or more E-Radio Access Bearer (E-RAB) QoS class identifiers (QCI) values for each E-RAB associated with the S1-AP session;
analyzing, by a processor, S1-AP signaling cause codes associated with the one or more identified dropped calls to identify one or more call drop reasons; and
generating, by a processor, an Adaptive Session Intelligence (ASI) data set based on the combined analysis of the S1-AP signaling messages, one or more QCI values and of the S1-AP signaling cause codes, wherein the ASI data set includes one or more metrics indicative of E-RAB status at different stages of a corresponding live call.

US Pat. No. 10,547,532

PARALLELIZATION OF INLINE TOOL CHAINING

NetScout Systems, Inc., ...

1. A system comprising:a plurality of inline tools configured to monitor and analyze a flow of network traffic; and
an Advanced Inline Aggregation (AIA) device connected to the plurality of inline tools, the AIA device having stored therein a plurality of programming instructions, which when executed on the AIA device cause the AIA device to:
process an ingress packet to extract a plurality of packet header fields and to generate a packet identifier and to determine whether a received ingress packet includes a packet injected by one of the plurality of inline tools devices based on a user-configurable MAC address;
transmit the ingress packet directly to a switching device as an egress packet in response to determining it includes a packet injected by one of the plurality of inline tools devices based on a user-configurable MAC address;
generate a first hash index by hashing information associated with the plurality of packet header fields;
store a copy of the ingress packet and the packet identifier in a hash table entry using the generated first hash index;
simultaneously forward the ingress packet to each of the one or more inline tool devices;
start a latency timer with a predefined timer value;
process an egress packet received from one of the plurality of inline tools to extract the plurality of packet header fields;
generate a second hash index by hashing information associated with the plurality of packet header fields;
retrieve the packet identifier from the hash table based on the generated second hash index;
increment a counter value associated with the egress packet;
determine whether the latency timer is greater than zero;
determine whether the counter value is equal to a total number of devices included in the plurality of inline tool devices, in response to determining that the latency timer is equal to zero; and
transmit the egress packet to a switching device based on the retrieved packet identifier, in response to determining that the counter value is equal to the total number.

US Pat. No. 10,541,894

METHOD FOR ASSESSING THE PERCEIVED QUALITY OF ADAPTIVE VIDEO STREAMING

Netscout Systems, Inc., ...

1. A network analyzer device for assessing perceived quality of adaptive media streaming in a network, comprising:an interface device for coupling to a network;
a media analyzing device for analyzing adaptive media content received from a network via the interface device configured to analyze one or more sets of packets contained in the received adaptive media content;
a quality analyzer device having a processor configured to:
receive, from the media analyzing device, an encoded stream of adaptive media content comprising audio signals and video signals;
decode the received stream of adaptive media content and determine a number of quality change events in the received decoded stream for a predetermined period of time;
determine a difference value between a highest quality level value detected in the decoded received stream for the predetermined period of time and a lowest quality level value detected in the decoded received stream for the predetermined period of time; and
generate a first quality impact score value for the decoded received stream based on the determined number of quality change events and based on the determined quality level difference value, wherein the Quality Impact Score=a1*NumberofQualityChanges+a2*MaxQualityDifference+a3*NumberofQualityChanges*MaxQualityDifference, where NumberofQualityChanges represents a number of detected quality of change events, MaxQualityDifference represents the quality difference value and where a1, a2 and a3 are scoring factors.

US Pat. No. 10,292,061

METHOD OF TROUBLESHOOTING USING CUSTOMIZABLE TROUBLESHOOTING INDICATORS OVER BUCKETS OF VARIABLE TIME

NetScout Systems, Inc, W...

1. A network device for facilitating diagnosis of problems experienced in a wireless network, the network device comprising:a network interface configured to receive program instructions to receive event data occurring in the wireless network from one or more network monitoring devices positioned at one or more locations in the wireless network, wherein the event data includes a plurality of events associated with at least one subscriber and having one or more attributes;
a memory for storing processed event data sets and generated records;
a troubleshooting engine;
a processor disposed in communication with the memory and troubleshooting engine, wherein the processor upon execution of instructions is configured to:
send the received event data to the troubleshooting engine for analysis thereof and group the received time-ordered events associated with the event data into a plurality of categories based on time and event attributes;
send the grouped time-ordered events associated with the event data from the troubleshooting engine to the memory and generate a plurality of records associated with the plurality of categories in the memory, wherein each record uniquely characterizes a corresponding category and has a uniform event density; and
render to a user an interactive graphical representation of the plurality of records via a graphical user interfaces.

US Pat. No. 10,542,330

AUTOMATIC ADAPTIVE NETWORK PLANNING

NetScout Systems, Inc., ...

1. A method for automatic adaptive network planning, the method comprising steps of:receiving a first list comprising a plurality of potential sites;
receiving a set of network coverage goals for a wireless network and receiving a plurality of models substantially related to the network coverage;
generating a wireless network coverage map for each site of the plurality of potential sites based on the plurality of received models, the coverage map comprising a plurality of locations within a corresponding coverage area;
calculating, for each location of the plurality of locations for each site of the plurality of sites, the likelihood of the network coverage goals being realized using the generated wireless network coverage map including generating a site coverage value for each of the plurality of potential sites and wherein calculating a location coverage value for each location of the plurality of locations for each site and calculating the site coverage value is based on a vector dot product of the location coverage value and the square of an overall location coverage percentage; and
automatically generating a second list of proposed active sites comprising a subset of the sites included in the first list based on the calculations performed for each location of the plurality of locations, wherein the second list of proposed active sites substantially meets the set of network coverage goals.

US Pat. No. 10,063,431

DETECTING AND REPORTING THE IMPACT OF HANDOVERS ON SUBSCRIBER QUALITY OF EXPERIENCE

NetScout Systems, Inc., ...

1. A method of monitoring, detecting and reporting impact of handovers on quality of experience for one or more users in a mobile cellular network, the method comprising steps of:collecting, in a quality analyzing apparatus, from a plurality of coupled mobile network elements, session records specifying data about sessions handled by two or more mobile network elements, wherein each session record comprises a data portion and a media portion and wherein each session comprises two or more session segments;
identifying, in the quality analyzing apparatus, one or more session segments having one or more session media gaps from the media portions of the collected session records, wherein at least some of the session media gaps are associated with a handover procedure between a first and second mobile network elements and further including classifying a session media gap as media gap associated with the handover procedure in response to determining that a start time of the session media gap is earlier than a start time of a corresponding session segment and classifying a session termination as a call drop caused by the handover procedure, in response to analyzing Session Initiation Protocol (SIP) messages associated with a corresponding session segment;
calculating and storing, in the quality analyzing apparatus, a plurality of performance metrics related to the handover procedures in the identified session segments; and
rendering, by the quality analyzing apparatus, to a user an interactive graphical representation of the stored performance metrics via a graphical user interface.

US Pat. No. 9,876,685

HYBRID CONTROL/DATA PLANE FOR PACKET BROKERING ORCHESTRATION

NetScout Systems, Inc., ...

1. A system for configuring one or more flows of data packets through a hybrid communication network, the system comprising:
a first segment of the hybrid communication network, the first segment comprising a stacked full mesh topology of communicatively
coupled plurality of network captured traffic distribution devices;

a second segment of the hybrid communication network, the second segment comprising one or more OpenFlow switches configured
for an OpenFlow protocol; and

a management server communicatively coupled to the first segment and to the second segment, the management server comprising
logic integrated with and/or executable by a processor of the management server, the logic being adapted to receive new data
flow entry from a user, the new data flow entry comprising at least ingress port information and egress port information;
determine whether the ingress port and the egress port belong to the same segment of the hybrid communication network and
configure one or more data flows of captured data packets with respect to forwarding the captured data packets between the
first and second segments of the hybrid communication network in response to determining that the ingress port and the egress
port do not belong to the same segment of the hybrid communication network.

US Pat. No. 10,082,556

NETWORK TABLE ERROR DETECTION AND CORRECTION USING ANALYTICS DATA

NetScout Systems, Inc, W...

1. A system for correcting network planning data, the system comprising:a planning repository comprising information on network traffic, network element locations, and network element connectivity;
a repository of a wireless network comprising a plurality of call data records; and
an information processing system comprising a processor and a memory device coupled to the processor in communication with the planning database and with the repository of the wireless network, the memory device containing a set of instructions that, when executed by the processor, cause the processor to:
receive location data associated with a wireless network cell from a plurality of devices connected to the wireless network, the location data from each device including a unique identifier and a timestamp wherein the location data includes one or more of global positioning system (GPS) data, cell tower identification data, Galileo data, GLONASS data and data received from a Wi-Fi access point;
identify one or more call data records associated with the received location data based on the unique identifier and the timestamp information; and
compare information in the received location data with corresponding information stored in the identified one or more call data records to identify one or more errors in the information stored in the planning repository, including:
determine a physical distance between a physical location of the device associated with the identified call data record and a physical location of a network element in communication with the device, wherein the physical location of the device and the physical location of the network element are determined based on the received location data; and
calculate a timing advance value based on the determined physical distance; and
compare the calculated timing advance value with a reported timing advance value included in the identified call data record.

US Pat. No. 10,469,364

SYSTEM AND METHOD FOR REAL-TIME LOAD BALANCING OF NETWORK PACKETS

NetScout Systems, Inc., ...

1. A method for routing packets at a packet flow switch, comprising:receiving at a packet flow switch a packet having a header portion and a payload portion, the packet flow switch in communication with at least two network probes;
determining whether the received packet is a user plane packet or a control plane packet;
responsive to identifying that a user plane packet is associated with a new session-instance not already monitored by a network probe, assigning the user plane packet to one of at least two network probes, the assigning including:
selecting one of the network probes;
saving an identifier of the selected network probe and associating a packet session-instance identifier with the saved identifier of the selected network probe which includes identifying the session-instance identifier of the received user plane packet using a value in a payload portion of the packet at a fixed number of bits from a first end of a header portion of the packet; and
sending the user plane packet to the selected network probe; and
selecting a control plane packet associated with a session-instance of a network, the control plane packet stored in a memory of a network probe;
determining whether a condition measuring the inactivity of the session-instance is met; and
responsive to determining that the condition is met, removing the control plane packet of the session-instance.

US Pat. No. 10,397,079

VIDEO DELIVERY PERFORMANCE ANALYSIS FOR EMBMS

Netscout Systems, Inc., ...

1. A system for evaluating quality of video delivered over a telecommunications network, the system comprising:one or more monitoring probes coupled to one or more network interfaces providing direct communication between two or more networked devices, the monitoring probes configured to capture video data from the network interfaces; and
a processor adapted to analyze the video data captured by the monitoring probes, the processor operatively configured to:
determine a number of lost data packets within the captured video data;
determine probability of unrecoverable losses that cannot be decoded within the captured video data based on the determined number of lost data packets wherein the captured video data comprises one or more Forward Error Correction (FEC) encoded video files and wherein the captured video data comprises one or more DASH formatted content segments;
monitor links between a media server and a Broadcast Multicast Service Center (BMSC) and determine missing HTTP video data segments due to failure in DASH segmentation; and
calculate a video quality index value based on the determined probability of unrecoverable losses.

US Pat. No. 10,069,763

METHOD TO ESTABLISH A NON-DISRUPTIVE COMMUNICATIONS PATH BETWEEN MULTIPLE DEVICES

NetScout Systems, Inc., ...

1. A method in a switching network for establishing a communication path, the method comprising:identifying, in a flow controller, a routing path between a source port on a source switch in communication with an external source node and a destination port on a destination switch in communication with an external destination node;
sending, by the flow controller, a first message to the source switch and the destination switch, the first message instructs the source switch and the destination switch to prepare for establishing a connection;
sending, by the flow controller, a second message to the destination switch responsive to receiving first acknowledgment messages from the source switch and the destination switch, the second message instructs the destination switch to establish a connection along the identified routing path;
sending, by the flow controller, a third message to the source switch responsive to receiving second acknowledgment message from the destination switch, the third message instructs the source switch to establish a connection between the source port and the established connection along the identified routing path; and
sending, by the flow controller, a fourth message to the source switch and the destination switch responsive to a failure to receive the first acknowledgment messages from the source switch and the destination switch, the fourth message instructs the source switch and the destination switch to cancel establishment of the connection.

US Pat. No. 10,382,290

SERVICE ANALYTICS

NetScout Systems, Inc, W...

1. A method for reporting service performance statistics in a network, the method comprising steps of:receiving, by a processor, an Adaptive Service Intelligence (ASI) data set related to a monitored service from a plurality of interfaces and sending a first copy of received ASI data to a device for analysis and a second copy of the received ASI data to a storage device;
analyzing performance of a monitored service within a context of the performed service using the acquired ASI data set;
analyzing performance of the monitored service outside of the context of a performed service using the received ASI data set;
determining at least one of one or more relationship dependencies associated with the monitored service;
analyzing performance of each of the at least one relationship dependencies using the acquired ASI data set; and
generating a report comprising one or more ASI data set values indicative of service performance degradation based on the analysis.

US Pat. No. 10,390,180

GEOLOCATION DETERMINATION WITH POWER FINGERPRINTING

NetScout Systems, Inc, W...

1. A method for deriving geolocation of a mobile device within a coverage area of a cellular communication network, the method comprising:receiving pathloss data and measurement data associated with a plurality of individual sectors within a plurality of individual cells of the cellular communication network, each of the plurality of individual sectors comprising a plurality of geographic bins;
determining one or more reception power measurements for each of the plurality of geographic bins;
generating a plurality of maps including two or more regions of one of the plurality of individual cells for each of the plurality of individual sectors based on at least one characteristic included in the received pathloss data or measurement data or based on the determined one or more reception power measurements, wherein the two or more cell regions include at least inner cell center region, outer cell center region and cell edge region and wherein each of the two or more cell regions includes a plurality of geographic bins grouped together based on one or more measurements and wherein the plurality of maps associates each bin of the plurality of geographic bins with at least one of neighbor cell information, time advance information and best network server information and wherein the associations are stored in a data repository; and
determining geolocation of the mobile device based on the generated plurality of maps, wherein determining geolocation of the mobile device comprises selecting a subset of geographic bins from the plurality of geographic bins based on at least some of the neighbor cell information, the time advance information and the best network server information contained within the generated plurality of maps.

US Pat. No. 10,382,883

AUTOMATIC CALIBRATION OF GEOLOCATION ANALYTIC SYSTEMS AND OPERATOR NETWORK EQUIPMENT PARAMETERS

NetScout Systems, Inc., ...

1. A method for calibrating geolocation analytic system in a wireless network, the method comprising steps of:receiving a first data set comprising measurement data associated with a mobile device connected to the wireless network from a first data source;
receiving a second data set comprising external geo-location data associated with the mobile device from a second data source;
comparing the first data set to the second data set to estimate geo-location of the mobile device and to identify one or more errors using calibration function wherein the one or more identified errors includes a calculated signal propagation delay value error; and
correcting the identified one or more errors based on the comparison including providing periodic updates to propagation parameter data.

US Pat. No. 10,289,473

SITUATION ANALYSIS

NETSCOUT SYSTEMS, INC., ...

1. A computer method for performing root cause analysis of failures in a computer network, the method comprising:receiving, by a processor, an Adaptive Service Intelligence (ASI) data set related to one or more failures reported in the computer network from a plurality of interfaces;
identifying, by a processor, one or more impact events associated with the one or more reported failures based on the received ASI data set;
correlating, by a processor, each of the identified one or more impact events with one or more cause events; and
selectively generating, by a processor, a situation record based on the correlated one or more impact events with the one or more cause events.

US Pat. No. 10,284,471

AIA ENHANCEMENTS TO SUPPORT LAG NETWORKS

Netscout Systems, Inc., ...

1. A method for maintaining packet's source network identification information while aggregating packets from a plurality of networks, the method comprising:processing an ingress packet to extract a plurality of packet header fields and port identifier;
generating a first hash index by hashing information associated with the plurality of packet header fields from the ingress packet;
storing the port identifier in a hash table using the generated first hash index;
forwarding the ingress packet to one or more inline tool devices configured to monitor and analyze a flow of Multi Link Aggregation Group (MC-LAG) traffic configured such that one or more links comprising one LAG terminate at ports on a first device and one or more links comprising the same LAG terminate on a second device;
processing an egress packet received from the one or more inline tools to extract the plurality of packet header fields from the egress packet;
generating a second hash index by hashing information associated with the plurality of packet header fields from the egress packet;
retrieving the port identifier from the hash table based on the generated second hash index; and
transmitting the egress packet to a switching device based on the retrieved port identifier.

US Pat. No. 10,631,184

SELECTIVE USER PLANE MONITORING MULTIPLE MONITORING PROBES WHEN A SERVING GATEWAY HAS MULTIPLE IP ADDRESSES

NetScout Systems, Inc, W...

1. A system for selective user plane monitoring in a wireless network, the system comprising:a service getaway (SGW) having a plurality of blade units, each blade unit having at least one processor, a memory and a unique IP address;
a network packet broker configured to receive a plurality of packets each associated with a subscriber identifier comprising user plane data from one or more tunnels created to enable direct transmission of the user plane packets from user equipment to the plurality of SGW units and configured to receive a plurality of packets comprising control plane data from one or more channels created to enable transmission of the control plane packets from a base transceiver station to the SGW; and
a plurality of monitoring probes operatively coupled to the network packet broker, the monitoring probes are configured to generate same control plane metrics associated with the received control plane packets for all subscriber identifiers and configured to generate a first plurality of user plane metrics associated with the received user plane packets for all subscriber identifiers and selectively generate a second plurality of user plane metrics for a subset of the subscriber identifiers wherein the second plurality of user plane metrics is different than the first plurality of user plane metrics identifiers,
wherein the network packet broker is configured to forward a plurality of user plane packets being processed by a particular SGW unit to a particular monitoring probe of the plurality of probes.

US Pat. No. 10,320,643

CLOUD COMPUTING ENVIRONMENT SYSTEM FOR AUTOMATICALLY DETERMINING OVER-THE-TOP APPLICATIONS AND SERVICES

NetScout Systems, Inc., ...

1. A cloud computing environment system for determining Over-The-Top (OTT) applications and services without parsing an encrypted payload, the system comprising:a cloud computing environment partitioned into a plurality of cloud partitions, wherein the plurality of cloud partitions includes at least a first cloud partition comprising a first wireless network operator's cloud, a second cloud partition comprising a second wireless network operator's cloud and a shared partition configured to receive and store information uniquely identifying one or more OTT applications supported by at least one of the first and second wireless network operators; and
a plurality of active agents, each active agent comprising a processor and a memory device coupled to the processor in communication with a corresponding wireless network operator's cloud, the memory device containing a set of instructions that, when executed by the processor, cause the processor to:
receive a list of OTT service platforms supported by a corresponding wireless network operator, wherein the received list comprises a plurality of URLs associated with various applications that are delivered by the OTT service platforms;
connect to the plurality of URLs to determine information uniquely identifying one or more of the OTT service platform applications; and
store the information uniquely identifying one or more of the OTT applications in the shared partition of the cloud computing environment.

US Pat. No. 10,284,440

REAL-TIME ADAPTIVE PROCESSING OF NETWORK DATA PACKETS FOR ANALYSIS

NetScout Systems, Inc, W...

1. A method, comprising:determining first and second sessions associated with data packets received by a network monitoring device at a location in a network;
generating a common header summarizing information in headers of a plurality of data packets in each of the first and second sessions by the network monitoring device; and
generating, for each first and second session, a session record for respectively storing the common header of the first and second session, and storing mapping information representing association of the first session with the second session when the first and second sessions are associated with planes in a same protocol.

US Pat. No. 10,637,771

SYSTEM AND METHOD FOR REAL-TIME LOAD BALANCING OF NETWORK PACKETS

NetScout Systems, Inc., ...

1. A packet flow switch apparatus coupled to a network for monitoring network traffic, comprising:a packet flow switch in communication with a plurality of network probes each configured and operative to generate an ASI data set including key performance indicators and Adaptive Session Records, the packet flow switch configured to receive packets transmitted through a plurality of communication network data links, wherein the packet flow switch is further configured to:
determine if a received packet is one of a control plane packet or one of a user plane packet;
responsive to determining the received packet is a control plane packet causing the control plane packet to be distributed to each of the plurality of network probes coupled to the flow switch regardless of a session instance the control packet is associated with;
responsive to determining the received packet is a user plane packet, determine a packet session-instance the determined user plane packet is associated with regardless of association with a control plane packet;
update a session-instance database to include a determined packet session-instance if not already present in the session-instance database;
purging a control plane packet from each of the probes it is distributed to contingent upon prescribed criteria; and
purging a determined packet session-instance from the session-instance database when a control plane packet associated with the packet session-instance is purged from each of the probes;
the packet flow switch comprising;
a load balancer configured to automatically select only a first network probe to receive the user plane packets of a determined session-instance transmitted through the plurality of data links with reference to the session-instance database, thereby approximately balancing the processing load of user plane packets between the plurality of network probes; and
a switch to route user-plane packets of a determined packet session-instance to the automatically selected network probe.

US Pat. No. 10,631,182

MONITORING DECIPHERED S1 PACKETS ON UNIFIED SERVING NODES

Netscout Systems, Inc., ...

1. A method for monitoring deciphered packets on a Unified Serving Node (USN), the method comprising steps of:continuously capturing a first plurality of unciphered packets transmitted between user equipment (UE) and the USN over a first interface, a second plurality of at least partially ciphered packets transmitted between the UE and USN over a second interface, a third plurality of unciphered packets transmitted between the USN and a Home Location Register (HLR) over a third interface and a fourth plurality of unciphered packets transmitted between the USN and a Home Subscriber Service (HSS) over a fourth interface, the first plurality of packets containing temporary and permanent user identifying information and ciphering key information associated with the first plurality of packets, the second plurality of packets containing temporary and permanent user identifying information associated with the second plurality of packets and the third plurality of packets containing permanent user identifying information and ciphering key information associated with the second plurality of packets;
extracting the temporary user identifying information, the permanent user identifying information and the ciphering key information from the captured first, second, third and fourth pluralities of packets;
correlating the temporary user identifying information and the permanent user identifying information with the ciphering key information to determine first mappings between the permanent user identifying information and corresponding temporary user identifying information;
storing the first mappings and associated ciphering key information in a data repository;
continuously capturing a fifth plurality of at least partially ciphered packets and unciphered packets transmitted between the UE and the USN over a fifth interface, the at least partially ciphered packets of the fifth plurality are ciphered using Non Access Stratum (NAS) ciphering key information and the unciphered packets of the fifth plurality contain temporary user identifying information associated with the fifth plurality of at least partially ciphered packets, wherein the fourth plurality of packets contains NAS deciphering key information associated with the fifth plurality of at least partially ciphered packets;
extracting the temporary user identifying information and the NAS ciphering key information from the captured unciphered packets of the fifth plurality;
retrieving from the data repository permanent user identifying information corresponding to the temporary user identifying information retrieved from unciphered packets of the fifth plurality based on the stored first mappings;
retrieving NAS deciphering key information corresponding to the retrieved permanent user identifying information; and
deciphering the at least partially ciphered packets of the fifth plurality of packets based on the retrieved NAS deciphering key information during inter radio access technology (RAT) handover by the UE.

US Pat. No. 10,630,569

AUTOMATICALLY DETERMINING OVER-THE-TOP APPLICATIONS AND SERVICES

NetScout Systems, Inc, W...

1. A method for determining Over-The-Top (OTT) applications and services without parsing an encrypted payload, the method comprising steps of:receiving, by an active agent, a list of OTT service platforms to be monitored by the active agent, wherein the received list comprises a plurality of URLs associated with various applications that are delivered by the OTT service platforms;
connecting, by the active agent, to the plurality of URLs to determine information uniquely identifying one or more of the OTT service platform applications;
storing, by the active agent, the information uniquely identifying one or more of the OTT applications in a repository;
monitoring, by a computer processor in a network monitor, a plurality of data flows between a plurality of sources and destinations on a network, each of the plurality of data flows comprising a plurality of data packets of the various applications that are delivered by the OTT service platforms;
extracting, by the computer processor of the network monitor, at least a portion of header information from each of the plurality of monitored data packets;
identifying, by the computer processor of the network monitor, an OTT application occurring on the network based on the extracted header information and based on the information uniquely identifying various OTT applications stored in the repository;
collecting a plurality of performance metrics related to an identified OTT application; and
generating an Adaptive Session Intelligence (ASI) data set having a plurality of performance statistics relating to an identified OTT application.

US Pat. No. 10,771,377

SYSTEM AND METHOD FOR REAL-TIME LOAD BALANCING OF NETWORK PACKETS

NetScout Systems, Inc., ...

1. A method for routing data packets at a packet flow switch, comprising:determine if packets received from a monitored network is one of a control packet or one of a user plane packet utilizing a plurality of network probes each configured and operative to generate an ASI data set including key performance indicators and Adaptive Session Records;
responsive to determining the received packet is a control plane packet, causing the control plane packet to be distributed to each of the plurality of network probes;
responsive to identifying that a user plane packet is associated with a new session-instance not already monitored by a network probe, assigning the user plane packet to one of the plurality of network probes and updating a session-instance database to include an identified packet session-instance if determined a new session-instance, the assigning comprising:
selecting one of the network probes;
saving an identifier of the selected network probe and associating a packet session-instance identifier with the saved identifier of the selected network probe; and
sending the user plane packet to the selected network probe; and
purging a control packet from each of the probes it is distributed to contingent upon prescribed criteria; and
purging a packet session-instance from the session-instance database when a control plane packet associated with the packet session-instance is purged from each of the probes.

US Pat. No. 10,992,777

SYSTEM AND METHOD FOR IDENTIFYING OTT APPLICATIONS AND SERVICES

NetScout Systems, Inc, W...

1. A computer implemented method for determining the identity of an Over-the Top (OTT) application or service being accessed over the Internet, comprising the steps:receiving a connection request in a network monitoring device;
inspecting IP packets in the received connection request;
generating a 5-tuple consisting of: IP source and destination addresses; a layer 4 transport protocol (e.g. TCP or UDP), and a transport protocol source and destination ports contained in the received connection request wherein the generated 5-tuple is compapred with entries in a connection table to determine if the received connection request is a new or existing connection request, whereby if there is no existing entry, then a new entry is created matching the generated 5-tuple associated with the received connection request;
determining if one or more entries are present in the received connection request have an IP address that matches a known server IP address;
determining if the received connection request is a HTTP connection request;
determining if the received connection request is a HTTPS or QUIC connection request;
determining if a subject field in the received connection request is available if no determination is made as to whether if the received connection request is either a HTTP, HTTPS or QUIC connection request;
determining if a candidate domain name is available from IP cache created from one or more of the above steps if no determination is made as to whether the received connection request is either a HTTP, HTTPS or QUIC connection request and no subject field is available in the received connection request; and
identifying and categorizing OTT applications associated with the received connection request if it is determined: the connection is either a HTTP, HTTPS or QUIC connection type; a subject field is available; or a candidate domain name is available utilizing a lookup table that is periodically updated with new OTT applications.

US Pat. No. 10,673,785

FLOW AND TIME BASED REASSEMBLY OF FRAGMENTED PACKETS BY IP PROTOCOL ANALYZERS

Netscout Systems, Inc., ...

1. A method, performed by a computer system having one or more processors and memory storing one or more programs for execution by the one or more processors, for processing a plurality of fragments of IP packet flows in a communications network, the method comprising steps of:receiving the plurality of packet fragments, wherein the received packet fragments are associated with one or more packet flows over a preconfigured time sliding window (TSW) composed of a contiguous set of M time intervals, wherein each interval is a preselected fixed duration of ts milliseconds;
selecting a first set of N packet flows from a first pass through of the one or more received packet flows, the first set of N packet flows corresponding to a subset of the plurality of packet fragments received during a first predefined time interval of the set of M time intervals of the TSW;
generating a unique list of Fn non-repeated flow identifiers for the first selected set of N packet flows of non-repeated flow identifiers;
determining, by a second pass through of the received packet flows, if a received packet fragment is associated with a flow identifier contained in the generated unique list of Fn non-repeated flow identifiers;
discarding the received packet fragment not found in the preconfigured TSW, based upon the determination of whether the received packet fragment is not associated with a flow identifier contained in the generated unique list of non-repeated flow identifiers; and
reassembling only packet fragments associated with the first set of packet flows into full packets only if the packet fragments are received in the first predetermined time interval.

US Pat. No. 10,944,651

MULTI-PROTOCOL CORRELATION FOR NETWORK SUBSCRIBER TROUBLESHOOTING

NetScout Systems Texas, L...

1. A method for multi-protocol monitoring and correlation, the method comprising steps of:monitoring, via a network monitoring device, an exchange of network data;
intercepting network data from the monitored network wherein the intercepted network data consists of captured user plane packets and control plane packets;
aggregating captured network performance data from the captured user plane packets and control plane packets, comprising a plurality of captured network performance metrics for a plurality of subscriber session records associated with a plurality of protocols;
performing a first level of correlation between the plurality of subscriber session records using one or more direct correlation rules, wherein the correlated subscriber session records associated with the plurality of protocols are related to a same subscriber session and wherein the first level of correlation is a shallow correlation whereby the protocols and child sessions are grouped and associated with the same subscriber session; and
performing a second level of correlation between the correlated subscriber session records using one or more indirect correlation rules based on the performed first level of correlation and wherein the second level of correlation is a deep correlation whereby the child sessions are grouped and associated with the same subscriber session per each protocol.

US Pat. No. 11,032,793

PROCESSING PAGING REQUESTS MESSAGES IN A WIRELESS COMMUNICATION SYSTEM

NetScout Systems, Inc, W...

1. A method by a network device in a communication system for filtering paging messages in a data packet stream associated with a UE device, the method comprising:receiving a data packet stream having a Paging Message packet from a network node device in the communication system;
determining an identity of a User Equipment (UE) associated with the received Paging Message packet;
determining if Paging Message information associated with the determined UE is stored in memory; and
filtering the received Paging Message packet from the received data packet stream in the event stored Paging Message information was determined to be associated with the determined UE;
storing information associated with the received Paging Message packet in the memory in the event there is no Paging Message information stored in the memory associated with the determined UE;
determining if a predetermined time period has elapsed for storage in the memory of Paging Message information associated with the determined UE; and
removing the information associated with Paging Message packet from the memory in the event the predetermined time period has elapsed.

US Pat. No. 10,966,108

OPTIMIZING RADIO CELL QUALITY FOR CAPACITY AND QUALITY OF SERVICE USING MACHINE LEARNING TECHNIQUES

NetScout Systems, Inc, W...

1. A method for optimizing a radio access network, the method comprising steps of:receiving at least one area of the radio access network to be analyzed from a user and receiving a desired outcome from a user;
identifying a plurality of network monitoring parameters related to a user requested analysis including user data and control plane data;
correlating the identified plurality of network monitoring parameters;
performing a root cause analysis using an automated classification model based on the correlated plurality of network monitoring parameters;
generating a recommendation related to the desired outcome based on the performed root cause analysis;
confirming with the user one or more aspects of the recommendation via a Graphical User Interface (GUI) which confirmation includes repeating the performance of the root cause analysis based upon a user entered numerical value indicative of the user's percentage certainty of the performed root cause analysis; and
updating the generated recommendation based upon the user confirmation and wherein the generated recommendation includes a confidence factor of a root cause by combining corresponding individual probabilities of preconditions.

US Pat. No. 10,785,111

FAULT-TOLERANT MONITORING OF TUNNELED IP FLOWS

NetScout Systems, Inc, W...

1. A method for monitoring tunneled Internet Protocol (IP) traffic in a communications network, the method comprising steps of:monitoring tunnel signaling flows to determine relationships between tunnels and subscriber sessions for each established tunnel;
analyzing General Packet Radio Service (GPRS) Tunnel Protocol (GTP) packets in a GTP session to determine whether Fully Qualified Tunnel Endpoint Identifiers (F-TEIDs) of packets transmitted through the tunnel are created, modified and dropped for subscriber sessions wherein each F-TEID represents a combination of a destination IP address and a tunnel endpoint identifier (TEID) for a GTP packet;
storing first tunnel signaling state in a data repository for each established tunnel, the first tunnel signaling state is indicative of the determined relationship between the tunnel and corresponding subscriber sessions; and
validating second tunnel signaling state based on the stored first tunnel signaling state to identify incorrect association between a monitored tunnel and corresponding subscriber session, in response to detecting a monitoring gap such that validation of tunnel flow states is performed prior to establishing monitoring the second tunnel, by retrieving a last assigned IP address associated with the first tunnel and stored subscriber addresses associated with the subscriber sessions to determine that the destination IP address of user plane traffic flowing through the second tunnel does not correlate with the last assigned IP address associated with the first tunnel.

US Pat. No. 10,673,689

SYSTEM AND METHOD FOR MANAGING ALERTS USING A STATE MACHINE

NetScout Systems, Inc, W...

1. A computer-implemented method for managing alerts comprising:intercepting network traffic utilizing network monitors for subsequent analysis of the intercepted network traffic;
interfacing with the network monitors;
receiving anomaly triggers generated as a function of detection of anomalies in the intercepted and analyzed network traffic;
associating an anomaly trigger of the received anomaly triggers with an alert;
establishing a state machine in response to receiving an anomaly trigger in accordance with a determination that a state machine matching the anomaly trigger is not yet established;
tracking the alert using the state machine, wherein the state machine is established by creating an entry in a hash table;
determining whether to change a state of the state machine if a subsequent anomaly trigger associated with the alert is received or if a predetermined amount of time passes without receiving trigger information;
changing the state of the state machine from an initial state when the anomaly trigger was received to a preactive state or remaining in the preactive state when preactive state conditions are met, the preactive state conditions including the state machine being established during a current interval and passage of a predefined number of intervals is required before entering an active state, or the anomaly trigger includes one or more non-consecutive anomaly triggers, wherein one or more gaps between the non-consecutive anomaly triggers do not exceed a predetermined maximum alarm wait time;
changing the state of the state machine from the initial or preactive state to an active state when newly active state conditions are met, the newly active state conditions including the state machine being established during the current interval and passage of a predefined number of intervals is required before entering an active state, or the anomaly trigger includes two or more consecutive anomaly triggers;
keeping the state of the state machine in the active state when remain in active state conditions are met, the remain in active state conditions including a number of intervals the state machine remains in the active state does not exceed a predetermined maximum duration, and a number of intervals the state machine remains in the active state while not receiving any subsequent associated anomaly triggers does not exceed a predetermined maximum wait time; and
generating an alarm based on the state of the state machine.

US Pat. No. 10,674,371

NETWORK TABLE ERROR DETECTION USING CALL TRACE RECORDS

NetScout Systems, Inc., ...

1. A system for correcting network planning data, the system comprising:a planning repository comprising information on network traffic, network element locations, and network element connectivity;
a repository of a wireless network comprising a plurality of call trace records; and
an information processing system comprising a processor and a memory device coupled to the processor in communication with the planning database and with the repository of the wireless network, the memory device containing a set of instructions that, when executed by the processor, cause the processor to:
receive call trace records from a wireless network interface and 1) send one set of the call trace records to an error detector module, and 2) send another set of the call trace records for storage in memory; and
compare in the error detector module information in the at least one call trace record received directly from the wireless network interface with corresponding information stored in the planning repository to identify one or more errors in the information stored in the planning repository wherein the set of instructions that cause the processor to identify one or more errors further cause the processor to identify one or more network elements having uncalibrated media latency based on timing advance information.

US Pat. No. 10,999,123

SYSTEMS AND METHODS FOR PERFORMING COMPUTER NETWORK SERVICE CHAIN ANALYTICS

NetScout Systems, Inc, W...

1. A computer system for performing computer network service chain analytics, the system comprising:one or more network-connected devices containing a plurality of virtual network functions (VNFs) having one or more elements wherein at least some of the VNFs include one or more VNF service chains each having two or more macro and micro elements;
a data model for storing a plurality of metrics related to the plurality of VNFs; and
a service chain intelligence engine comprising a processor and a memory device coupled to the processor in communication with the one or more network-connected devices and in communication with the data model, the memory device containing a set of instructions that, when executed by the processor, cause the processor to:
analyze the plurality of VNFs to automatically identify one or more service chains;
automatically determine performance behavior characteristics of each element for each of the identified service chains using the data model by automatically determining performance behavior characteristics of both macro and micro elements in the one or more VNF service chains using the data model and by employing active agent test data wherein the active agent test data is a common piece of code inserted into each VNF element to perform pre-determined availability and latency tests within certain links of the one or more VNF service chains; and
automatically generate an alarm, in response to determining that the performance behavior characteristics of one or more elements of at least one of the identified one or more service chains does not meet a predefined set of the performance behavior characteristics.

US Pat. No. 10,992,569

SYSTEM AND METHOD FOR REAL-TIME LOAD BALANCING OF NETWORK PACKETS

NetScout Systems, Inc., ...

1. A method for automatically distributing a user plane packet to one of at least two network probes to automatically balance the monitoring load, the distributing comprising:receiving at a packet flow switch a packet having a header portion and a payload portion, the packet flow switch in communication with the at least two network probes;
determining whether the received packet is a user plane packet or a control plane packet;
responsive to determining that the received packet is a control plane packet, sending the control plane packet to all of the probes;
statelessly identifying a session-instance identifier of a received user plane packet using a value in a payload portion of the packet regardless of association with a control plane packet;
determining whether the packet is associated with an existing session-instance being analyzed by a first network probe or a new session-instance, the determining using the session-instance identifier;
responsive to identifying that the packet is associated with the existing session-instance, sending the received user plane packet to the first network probe;
responsive to identifying that the packet is associated with the new session-instance, assigning the packet to one of the network probes and updating a session-instance database to include an identified packet session-instance if determined a new session-instance;
purging a control packet from each of the probes it is distributed to contingent upon inactivity of an associated session-instances;
receiving the user plane packet of the session-instance from one of a plurality of network transmission links; and
using the session-instance identifier to send subsequently received user plane packets of the session-instance transmitted through any of a plurality of network transmission links to the selected network probe.

US Pat. No. 10,979,556

DETECTING AND REPORTING USER TRIGGERED CALL DROPS

NetScout Systems, Inc, W...

1. A method for detecting user triggered call drops, the method comprising:monitoring network data packets associated with calls on a telecommunications network;
capturing network data packets from the telecommunications network associated with a plurality of monitored calls; and
analyzing the captured network data packets, wherein analyzing includes:
identifying one or more user terminated calls from the plurality of monitored calls;
correlating signaling information associated with the identified user terminated calls with media channel information associated with the identified user terminated calls;
determining if termination of the one or more of the identified user terminated calls is related to quality of media across corresponding media channels by analyzing duration of detected media reception gaps to determine if a predetermined threshold has been exceeded and determine if a media gap accrued prior to session termination; and
assigning a predefined cause code to the one or more of the identified terminated calls, in response to determining that the termination of the one or more of the user identified terminated calls is related to the quality of media across the corresponding media channels includes determining if the termination of the one or more of the identified user terminated calls is related to the quality of media based on a failure cause code associated with a call terminating signaling message.