Vector-based anomaly detection

US 10,218,732 B2
Filed: 04/06/2017
Issued: 02/26/2019
Est. Priority Date: 11/18/2010
Status: Active Grant

First Claim

Patent Images

1. A hybrid-fabric apparatus for detecting anomalous behavior of a network fabric comprising a plurality of network nodes, the hybrid-fabric apparatus comprising:

a black box memory configured to at least store a plurality of behavior metrics; and

an anomaly agent coupled with the black box and configured to at least;

determine a baseline vector corresponding to nominal behavior of the network fabric, the baseline vector comprising at least two different behavior metrics that are correlated with each other;

disaggregate anomaly detection criteria into a plurality of anomaly criterion to be distributed among the plurality of network nodes, the anomaly detection criteria characterizing a variation from the baseline vector, and each of the plurality of anomaly criterion comprising a function of a measured vector of behavior metrics, the variation calculated based on a variation function applied to a vector of measured behavior metrics having elements corresponding to member elements of the baseline vector;

aggregate anomaly criterion statuses calculated by at least some of the plurality of network nodes to detect anomalous behavior, each anomaly criterion status being calculated by a network node as a function of the network node'"'"'s anomaly criterion and a measured vector of the at least two different behavior metrics; and

notify a manager of the anomalous behavior.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A hybrid-fabric apparatus comprises a black box memory configured to store a plurality of behavior metrics and an anomaly agent coupled to the black box. The anomaly agent determines a baseline vector corresponding to nominal behavior of the fabric, wherein the baseline vector comprises at least two different behavior metrics that are correlated with each other. The anomaly agent disaggregates anomaly detection criteria into a plurality of anomaly criterion to be distributed among network nodes in the fabric, the anomaly detection criteria characterizing a variation from the baseline vector, and each of the plurality of anomaly criterion comprising a function of a measured vector of behavior metrics. The variation can be calculated based on a variation function applied to a vector of measured behavior metrics having elements corresponding to member elements of the baseline vector. Anomaly criterion statuses calculated by at least some of the plurality of network nodes are aggregated to detect anomalous behavior. Each anomaly criterion status can be calculated by a network node as a function of the network node'"'"'s anomaly criterion and a measured vector of the at least two different behavior metrics.

Citations

24 Claims

1. A hybrid-fabric apparatus for detecting anomalous behavior of a network fabric comprising a plurality of network nodes, the hybrid-fabric apparatus comprising:
- a black box memory configured to at least store a plurality of behavior metrics; and
  
  an anomaly agent coupled with the black box and configured to at least;
  
  determine a baseline vector corresponding to nominal behavior of the network fabric, the baseline vector comprising at least two different behavior metrics that are correlated with each other;
  
  disaggregate anomaly detection criteria into a plurality of anomaly criterion to be distributed among the plurality of network nodes, the anomaly detection criteria characterizing a variation from the baseline vector, and each of the plurality of anomaly criterion comprising a function of a measured vector of behavior metrics, the variation calculated based on a variation function applied to a vector of measured behavior metrics having elements corresponding to member elements of the baseline vector;
  
  aggregate anomaly criterion statuses calculated by at least some of the plurality of network nodes to detect anomalous behavior, each anomaly criterion status being calculated by a network node as a function of the network node'"'"'s anomaly criterion and a measured vector of the at least two different behavior metrics; and
  
  notify a manager of the anomalous behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The hybrid-fabric apparatus of claim 1, wherein the anomaly agent is configured to at least establish the anomaly detection criteria by at least one ofstimulating an anomalous behavior within the fabric while the fabric is active to derive the variation from the baseline vector;
    - modeling an anomalous behavior within the fabric while the fabric is active to derive the variation from the baseline vector by constructing a logical representation of the fabric by using nodes of the fabric; and
      
      modeling the anomalous behavior by running a live drill.
  - 3. The hybrid-fabric apparatus of claim 1, wherein the anomaly agent is configured to at least collect at least one of fabric-level metrics as a portion of the measured behaviors metrics, component-level metrics as a portion of the measured behaviors metrics, application metrics as a portion of the measured behaviors metrics, and external metrics as a portion of the measured behaviors metrics.
  - 4. The hybrid-fabric apparatus of claim 1, wherein the at least some of the plurality of network nodes calculate their anomaly criterion statuses as a function of a trend of the measured behavior metrics.
  - 5. The hybrid-fabric apparatus of claim 1, wherein the anomaly agent is configured to at least generate a leading indicator of a likelihood that anomalous behavior is about to occur as a function of the aggregated anomaly criterion statuses.
  - 6. The hybrid-fabric apparatus of claim 5, wherein the anomaly agent is configured to at least generate the leading indicator by calculating a likelihood of the anomalous behavior occurring while the anomaly detection criteria remains unsatisfied.
  - 7. The hybrid-fabric apparatus of claim 1, wherein the anomaly agent is configured to at least identify an anomaly type of the anomalous behavior based on the anomaly criterion statuses.
  - 8. The hybrid-fabric apparatus of claim 7, wherein the anomaly agent is configured to at least automatically respond to the anomalous behavior according to a prior defined action based at least in part on the anomaly type.
  - 9. The hybrid-fabric apparatus of claim 1, wherein the anomaly agent is configured to at least migrate anomalous traffic to a monitored data channel within the fabric.
  - 10. The hybrid-fabric apparatus of claim 1, the anomaly agent is configured to at least update the anomaly detection criteria according to a known change in the fabric and sending the receiving nodes correspondingly updated anomaly criterion.
  - 11. The hybrid-fabric apparatus of claim 10, wherein the known change comprises an expected behavior change vector reflecting expected behavior changes due to deployment of an application within the fabric.
  - 12. The hybrid-fabric apparatus of claim 1, wherein the anomaly agent is configured to at least store a history of the anomaly criterion statuses in the black box memory.
  - 13. The hybrid-fabric apparatus of claim 12, wherein the anomaly agent is configured to at least store the history by migrating the history from a first one of the networking nodes to the black box memory housed within a second, different one of the networking nodes in response to the anomaly criterion statuses satisfying a migration triggering condition.

14. A network fabric system comprising:
- a plurality of network nodes; and
  
  an anomaly agent coupled with the plurality of network nodes and configured to at least;
  
  determine a baseline vector corresponding to nominal behavior of the network fabric, the baseline vector comprising at least two different behavior metrics that are correlated with each other;
  
  disaggregate anomaly detection criteria into a plurality of anomaly criterion to be distributed among the plurality of network nodes, the anomaly detection criteria characterizing a variation from the baseline vector, and each of the plurality of anomaly criterion comprising a function of a measured vector of behavior metrics, the variation calculated based on a variation function applied to a vector of measured behavior metrics having elements corresponding to member elements of the baseline vector;
  
  aggregate anomaly criterion statuses calculated by at least some of the plurality of network nodes to detect anomalous behavior, each anomaly criterion status being calculated by a network node as a function of the network node'"'"'s anomaly criterion and a measured vector of the at least two different behavior metrics; and
  
  notify a manager of the anomalous behavior.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 15. The network fabric system of claim 14, wherein the anomaly agent is configured to at least establish the anomaly detection criteria by at least one ofstimulating an anomalous behavior within the fabric while the fabric is active to derive the variation from the baseline vector;
    - modeling an anomalous behavior within the fabric while the fabric is active to derive the variation from the baseline vector by constructing a logical representation of the fabric by using nodes of the fabric; and
      
      modeling the anomalous behavior by running a live drill.
  - 16. The network fabric system of claim 14, wherein the anomaly agent is configured to at least collect at least one of fabric-level metrics as a portion of the measured behaviors metrics, component-level metrics as a portion of the measured behaviors metrics, application metrics as a portion of the measured behaviors metrics, and external metrics as a portion of the measured behaviors metrics.
  - 17. The network fabric system of claim 14, wherein the at least some of the plurality of network nodes calculate their anomaly criterion statuses as a function of a trend of the measured behavior metrics.
  - 18. The network fabric system of claim 14, wherein the anomaly agent is configured to at least generate a leading indicator of a likelihood that anomalous behavior is about to occur as a function of the aggregated anomaly criterion statuses.
  - 19. The network fabric system of claim 18, wherein the anomaly agent is configured to at least generate the leading indicator by calculating a likelihood of the anomalous behavior occurring while the anomaly detection criteria remains unsatisfied.
  - 20. The network fabric system of claim 14, wherein the anomaly agent is configured to at least identify an anomaly type of the anomalous behavior based on the anomaly criterion statuses.
  - 21. The network fabric system of claim 20, wherein the anomaly agent is configured to at least automatically respond to the anomalous behavior according to a prior defined action based at least in part on the anomaly type.
  - 22. The network fabric system of claim 14, wherein the anomaly agent is configured to at least migrate anomalous traffic to a monitored data channel within the fabric.
  - 23. The network fabric system of claim 14, the anomaly agent is configured to at least update the anomaly detection criteria according to a known change in the fabric and sending the receiving nodes correspondingly updated anomaly criterion.
  - 24. The network fabric system of claim 23, wherein the known change comprises an expected behavior change vector reflecting expected behavior changes due to deployment of an application within the fabric.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nant Holdings IP, LLC (NantWorks, LLC)
Original Assignee
Nant Holdings IP, LLC (NantWorks, LLC)
Inventors
Wittenschlaeger, Thomas
Primary Examiner(s)
Parsons, Theodore C

Application Number

US15/480,646
Publication Number

US 20170214706A1
Time in Patent Office

691 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/18   using different networks or...

Vector-based anomaly detection

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Vector-based anomaly detection

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links