Anomaly detection using device relationship graphs

US 10,382,303 B2
Filed: 08/07/2017
Issued: 08/13/2019
Est. Priority Date: 07/11/2016
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring network packets over a network, wherein one or more processors in a network computer execute instructions to perform actions, comprising:

instantiating a network monitoring application to perform actions, including;

detecting one or more error signals from one or more agents that are included in a model that is comprised of a graph for two or more nodes and one or more edges, wherein each node represents an agent and each edge represents a relationship between two agents;

employing network packets communicated by two or more agents that are unassociated with the model to identify these two agents as two or more new agents for the model that have one or more relationships with each other;

updating the model with the two or more new agents and one or more phantom edges for the one or more relationships between the two or more new agents;

employing the network packets associated with the one or more error signals to identify a plurality of anomalies that correspond to more than one agent in the model that is associated with a same error signal;

employing the graph of the model to reduce an amount of the plurality of anomalies into one or more anomalies; and

notifying a user of the one or more anomalies in the network.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to monitoring network traffic in a network. A device relation model that may be comprised of two or more nodes and one or more edges stored in memory of the network computer may be provided to a network monitoring computer (NMC), such that each node represents an agent and each edge represents a relationship between two agents. If error signals are detected by the NMC, the NMC perform further actions to process the error signals. The device relation model may be traversed to identify agents associated with the error signals. The network traffic associated with the error signals and the agents may be analyzed by the NMC. If the error signals are associated with anomalies in the network traffic, users may be notified. The device relation model may be updated upon discovery of new computing devices, new applications, or new associations between agents.

229 Citations

16 Claims

1. A method for monitoring network packets over a network, wherein one or more processors in a network computer execute instructions to perform actions, comprising:
- instantiating a network monitoring application to perform actions, including;
  
  detecting one or more error signals from one or more agents that are included in a model that is comprised of a graph for two or more nodes and one or more edges, wherein each node represents an agent and each edge represents a relationship between two agents;
  
  employing network packets communicated by two or more agents that are unassociated with the model to identify these two agents as two or more new agents for the model that have one or more relationships with each other;
  
  updating the model with the two or more new agents and one or more phantom edges for the one or more relationships between the two or more new agents;
  
  employing the network packets associated with the one or more error signals to identify a plurality of anomalies that correspond to more than one agent in the model that is associated with a same error signal;
  
  employing the graph of the model to reduce an amount of the plurality of anomalies into one or more anomalies; and
  
  notifying a user of the one or more anomalies in the network.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, further comprising employing the model to identify those agents that are associated with the one or more error signals and that are also associated with each other in the model.
  - 3. The method of claim 1, further comprising employing relationships between agents associated with the model to identify groups of agents that are associated with each other.
  - 4. The method of claim 1, wherein the employing of network packets communicated by the two or more agents that are unassociated with the model to identify these two agents as the two or more new agents, further comprises employing one or more of traffic patterns, configuration information, or heuristics for the network packets.

5. A system for monitoring network traffic in a network comprising:
- a network computer, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  instantiating a network monitoring application to perform actions, including;
  
  detecting one or more error signals from one or more agents that are included in a model that is comprised of a graph for two or more nodes and one or more edges, wherein each node represents an agent and each edge represents a relationship between two agents;
  
  employing network packets communicated by two or more agents that are unassociated with the model to identify these two agents as two or more new agents for the model that have one or more relationships with each other;
  
  updating the model with the two or more new agents and one or more phantom edges for the one or more relationships between the two or more new agents;
  
  employing the network packets associated with the one or more error signals to identify a plurality of anomalies that correspond to more than one agent in the model that is associated with a same error signal; and
  
  employing the graph of the model to reduce an amount of the plurality of anomalies into one or more anomalies; and
  
  a client computer, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  receiving notification of the one or more anomalies in the network.
- View Dependent Claims (6, 7, 8)
- - 6. The system of claim 5, further comprising employing the model to identify those agents that are associated with the one or more error signals and that are also associated with each other in the model.
  - 7. The system of claim 5, further comprising employing relationships between agents associated with the model to identify groups of agents that are associated with each other.
  - 8. The system of claim 5, wherein the employing of network packets communicated by the two or more agents that are unassociated with the model to identify these two agents as the two or more new agents, further comprises employing one or more of traffic patterns, configuration information, or heuristics for the network packets.

9. A network computer for monitoring network traffic in a network, comprising:
- a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  instantiating a network monitoring application to perform actions, including;
  
  detecting one or more error signals from one or more agents that are included in a model that is comprised of a graph for two or more nodes and one or more edges, wherein each node represents an agent and each edge represents a relationship between two agents;
  
  employing network packets communicated by two or more agents that are unassociated with the model to identify these two agents as two or more new agents for the model that have one or more relationships with each other;
  
  updating the model with the two or more new agents and one or more phantom edges for the one or more relationships between the two or more new agents;
  
  employing the network packets associated with the one or more error signals to identify a plurality of anomalies that correspond to more than one agent in the model that is associated with a same error signal;
  
  employing the graph of the model to reduce an amount of the plurality of anomalies into one or more anomalies; and
  
  notifying a user of the one or more anomalies in the network.
- View Dependent Claims (10, 11, 12)
- - 10. The network computer of claim 9, further comprising employing the model to identify those agents that are associated with the one or more error signals and that are also associated with each other in the model.
  - 11. The network computer of claim 9, further comprising employing relationships between agents associated with the model to identify groups of agents that are associated with each other.
  - 12. The network computer of claim 9, wherein the employing of network packets communicated by the two or more agents that are unassociated with the model to identify these two agents as the two or more new agents, further comprises employing one or more of traffic patterns, configuration information, or heuristics for the network packets.

13. A processor readable non-transitory storage media that includes instructions for monitoring network traffic in a network, wherein execution of the instructions by one or more processors performs actions, comprising:
- instantiating a network monitoring application to perform actions, including;
  
  detecting one or more error signals from one or more agents that are included in a model that is comprised of a graph for two or more nodes and one or more edges, wherein each node represents an agent and each edge represents a relationship between two agents;
  
  employing network packets communicated by two or more agents that are unassociated with the model to identify these two agents as two or more new agents for the model that have one or more relationships with each other;
  
  updating the model with the two or more new agents and one or more phantom edges for the one or more relationships between the two or more new agents;
  
  employing the network packets associated with the one or more error signals to identify a plurality of anomalies that correspond to more than one agent in the model that is associated with a same error signal;
  
  employing the graph of the model to reduce an amount of the plurality of anomalies into one or more anomalies; and
  
  notifying a user of the one or more anomalies in the network.
- View Dependent Claims (14, 15, 16)
- - 14. The media of claim 13, further comprising employing the model to identify those agents that are associated with the one or more error signals and that are also associated with each other in the model.
  - 15. The media of claim 13, further comprising employing relationships between agents associated with the model to identify groups of agents that are associated with each other.
  - 16. The media of claim 13, wherein the employing of network packets communicated by the two or more agents that are unassociated with the model to identify these two agents as the two or more new agents, further comprises employing one or more of traffic patterns, configuration information, or heuristics for the network packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Khanal, Bhushan Prasad, Wu, Xue Jun
Primary Examiner(s)
Donabed, Ninos

Application Number

US15/671,060
Publication Number

US 20180013650A1
Time in Patent Office

736 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/065   involving logical or physic...

H04L 41/145   involving simulating, desig...

H04L 43/0823   Errors, e.g. transmission e...

H04L 67/1044   Group management mechanisms...

H04L 69/16   Implementation or adaptatio...

Anomaly detection using device relationship graphs

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

229 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Anomaly detection using device relationship graphs

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

229 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links