Anomaly detection using device relationship graphs
First Claim
1. A method for monitoring network packets over a network, wherein one or more processors in a network computer execute instructions to perform actions, comprising:
- instantiating a network monitoring application to perform actions, including;
detecting one or more error signals from one or more agents that are included in a model that is comprised of a graph for two or more nodes and one or more edges, wherein each node represents an agent and each edge represents a relationship between two agents;
employing network packets communicated by two or more agents that are unassociated with the model to identify these two agents as two or more new agents for the model that have one or more relationships with each other;
updating the model with the two or more new agents and one or more phantom edges for the one or more relationships between the two or more new agents;
employing the network packets associated with the one or more error signals to identify a plurality of anomalies that correspond to more than one agent in the model that is associated with a same error signal;
employing the graph of the model to reduce an amount of the plurality of anomalies into one or more anomalies; and
notifying a user of the one or more anomalies in the network.
6 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are directed to monitoring network traffic in a network. A device relation model that may be comprised of two or more nodes and one or more edges stored in memory of the network computer may be provided to a network monitoring computer (NMC), such that each node represents an agent and each edge represents a relationship between two agents. If error signals are detected by the NMC, the NMC perform further actions to process the error signals. The device relation model may be traversed to identify agents associated with the error signals. The network traffic associated with the error signals and the agents may be analyzed by the NMC. If the error signals are associated with anomalies in the network traffic, users may be notified. The device relation model may be updated upon discovery of new computing devices, new applications, or new associations between agents.
229 Citations
16 Claims
-
1. A method for monitoring network packets over a network, wherein one or more processors in a network computer execute instructions to perform actions, comprising:
instantiating a network monitoring application to perform actions, including; detecting one or more error signals from one or more agents that are included in a model that is comprised of a graph for two or more nodes and one or more edges, wherein each node represents an agent and each edge represents a relationship between two agents; employing network packets communicated by two or more agents that are unassociated with the model to identify these two agents as two or more new agents for the model that have one or more relationships with each other; updating the model with the two or more new agents and one or more phantom edges for the one or more relationships between the two or more new agents; employing the network packets associated with the one or more error signals to identify a plurality of anomalies that correspond to more than one agent in the model that is associated with a same error signal; employing the graph of the model to reduce an amount of the plurality of anomalies into one or more anomalies; and notifying a user of the one or more anomalies in the network. - View Dependent Claims (2, 3, 4)
-
5. A system for monitoring network traffic in a network comprising:
-
a network computer, comprising; a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; instantiating a network monitoring application to perform actions, including; detecting one or more error signals from one or more agents that are included in a model that is comprised of a graph for two or more nodes and one or more edges, wherein each node represents an agent and each edge represents a relationship between two agents; employing network packets communicated by two or more agents that are unassociated with the model to identify these two agents as two or more new agents for the model that have one or more relationships with each other; updating the model with the two or more new agents and one or more phantom edges for the one or more relationships between the two or more new agents; employing the network packets associated with the one or more error signals to identify a plurality of anomalies that correspond to more than one agent in the model that is associated with a same error signal; and employing the graph of the model to reduce an amount of the plurality of anomalies into one or more anomalies; and a client computer, comprising; a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; receiving notification of the one or more anomalies in the network. - View Dependent Claims (6, 7, 8)
-
-
9. A network computer for monitoring network traffic in a network, comprising:
-
a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; instantiating a network monitoring application to perform actions, including; detecting one or more error signals from one or more agents that are included in a model that is comprised of a graph for two or more nodes and one or more edges, wherein each node represents an agent and each edge represents a relationship between two agents; employing network packets communicated by two or more agents that are unassociated with the model to identify these two agents as two or more new agents for the model that have one or more relationships with each other; updating the model with the two or more new agents and one or more phantom edges for the one or more relationships between the two or more new agents; employing the network packets associated with the one or more error signals to identify a plurality of anomalies that correspond to more than one agent in the model that is associated with a same error signal; employing the graph of the model to reduce an amount of the plurality of anomalies into one or more anomalies; and notifying a user of the one or more anomalies in the network. - View Dependent Claims (10, 11, 12)
-
-
13. A processor readable non-transitory storage media that includes instructions for monitoring network traffic in a network, wherein execution of the instructions by one or more processors performs actions, comprising:
instantiating a network monitoring application to perform actions, including; detecting one or more error signals from one or more agents that are included in a model that is comprised of a graph for two or more nodes and one or more edges, wherein each node represents an agent and each edge represents a relationship between two agents; employing network packets communicated by two or more agents that are unassociated with the model to identify these two agents as two or more new agents for the model that have one or more relationships with each other; updating the model with the two or more new agents and one or more phantom edges for the one or more relationships between the two or more new agents; employing the network packets associated with the one or more error signals to identify a plurality of anomalies that correspond to more than one agent in the model that is associated with a same error signal; employing the graph of the model to reduce an amount of the plurality of anomalies into one or more anomalies; and notifying a user of the one or more anomalies in the network. - View Dependent Claims (14, 15, 16)
Specification