Multi-dimensional system anomaly detection
First Claim
Patent Images
1. A method comprising:
- receiving, at a device in a network, a first plurality of measurements for network metrics captured during a first time period;
determining, by the device, a first set of correlations between the network metrics using the first plurality of measurements captured during the first time period;
receiving, at the device, a second plurality of measurements for the network metrics captured during a second time period;
determining, by the device, a second set of correlations between the network metrics using the second plurality of measurements captured during the second time period;
in response to determining the first and second sets of correlations, generating, by the device, a plurality of persistence diagrams based on the first and second sets of correlations as sets, each diagram of the plurality of persistence diagrams a set of topological features associated with the first and second sets of correlations;
computing, by the device, a distance between at least two of the plurality of generated persistence diagrams, wherein the distance represents an anomaly score associated with a change in the topology of the network; and
identifying, by the device, a difference between the first and second sets of correlations between the network metrics as a network anomaly based on the anomaly score.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a device in a network receives a first plurality of measurements for network metrics captured during a first time period. The device determines a first set of correlations between the network metrics using the first plurality of measurements captured during the first time period. The device receives a second plurality of measurements for the network metrics captured during a second time period. The device determines a second set of correlations between the network metrics using the second plurality of measurements captured during the second time period. The device identifies a difference between the first and second sets of correlations between the network metrics as a network anomaly.
-
Citations
18 Claims
-
1. A method comprising:
-
receiving, at a device in a network, a first plurality of measurements for network metrics captured during a first time period; determining, by the device, a first set of correlations between the network metrics using the first plurality of measurements captured during the first time period; receiving, at the device, a second plurality of measurements for the network metrics captured during a second time period; determining, by the device, a second set of correlations between the network metrics using the second plurality of measurements captured during the second time period; in response to determining the first and second sets of correlations, generating, by the device, a plurality of persistence diagrams based on the first and second sets of correlations as sets, each diagram of the plurality of persistence diagrams a set of topological features associated with the first and second sets of correlations; computing, by the device, a distance between at least two of the plurality of generated persistence diagrams, wherein the distance represents an anomaly score associated with a change in the topology of the network; and identifying, by the device, a difference between the first and second sets of correlations between the network metrics as a network anomaly based on the anomaly score. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus, comprising:
-
one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to; receive a first plurality of measurements for network metrics captured during a first time period; determine a first set of correlations between the network metrics using the first plurality of measurements captured during the first time period; receive a second plurality of measurements for the network metrics captured during a second time period; determine a second set of correlations between the network metrics using the second plurality of measurements captured during the second time period; in response to determining the first and second sets of correlations, generate a plurality of persistence diagrams based on the first and second sets of correlations as sets, each diagram of the plurality of persistence diagrams a set of topological features associated with the first and second sets of correlations; compute a distance between at least two of the plurality of generated persistence diagrams, wherein the distance represents an anomaly score associated with a change in the topology of the network; and identify a difference between the first and second sets of correlations between the network metrics as a network anomaly based on the anomaly score. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A tangible, non-transitory, computer-readable medium storing program instructions that cause a device in a network to execute a process comprising:
-
receiving a first plurality of measurements for network metrics captured during a first time period; determining a first set of correlations between the network metrics using the first plurality of measurements captured during the first time period; receiving a second plurality of measurements for the network metrics captured during a second time period; determining a second set of correlations between the network metrics using the second plurality of measurements captured during the second time period; in response to determining the first and second sets of correlations, generating a plurality of persistence diagrams based on the first and second sets of correlations as sets, each diagram of the plurality of persistence diagrams a set of topological features associated with the first and second sets of correlations; computing a distance between the generated persistence diagrams, wherein the distance represents an anomaly score; and identifying a difference between the first and second sets of correlations between the network metrics as a network anomaly based on the anomaly score. - View Dependent Claims (16, 17, 18)
-
Specification