Classification of detected network anomalies using additional data
First Claim
1. A method performed in a device that analyzes network anomalies in a communication network, the method comprising:
- receiving an indication of a network anomaly which was detected by monitoring the communication network;
responsive to receiving the indication, communicating, to a data source external to the communication network, a request for scheduled event information from outside of the communication network;
responsive to receiving the scheduled event information from outside of the communication network, identifying a previously detected network anomaly associated with a scheduled event that previously occurred outside of the communication network based on the scheduled event information received from outside of the communication network;
responsive to identifying the previously detected network anomaly, determining a classification of the detected network anomaly as unexpected behavior based on a determination that the detected network anomaly is not similar to the previously detected network anomaly associated with the scheduled event that previously occurred outside of the communication network;
responsive to determining the classification of the detected network anomaly as unexpected behavior, providing a report of the detected network anomaly in response to the classification of the detected network anomaly as unexpected behavior;
responsive to identifying the previously detected network anomaly, determining a classification of the detected network anomaly as expected behavior of the communication network based on a determination that the previously detected network anomaly associated with the scheduled event occurring outside of the communication network is similar to the detected network anomaly; and
responsive to determining the classification of the detected network anomaly as expected behavior, suppressing reporting of the detected network anomaly.
1 Assignment
0 Petitions
Accused Products
Abstract
A network anomaly detector detects a network anomaly by monitoring a communication network and provides an indication of the detected network anomaly to a network anomaly analyzer. The network anomaly analyzer receives the indication of the detected network anomaly and, on the basis of data representing the detected network anomaly and additional data, e.g., from outside the communication network, performs classification of the detected network anomaly. Depending on the classification of the detected network anomaly, the network anomaly analyzer provides a report of the detected network anomaly to another node. If for example the detected network anomaly is classified as expected behavior, reporting of the detected network anomaly may be suppressed.
-
Citations
19 Claims
-
1. A method performed in a device that analyzes network anomalies in a communication network, the method comprising:
-
receiving an indication of a network anomaly which was detected by monitoring the communication network; responsive to receiving the indication, communicating, to a data source external to the communication network, a request for scheduled event information from outside of the communication network; responsive to receiving the scheduled event information from outside of the communication network, identifying a previously detected network anomaly associated with a scheduled event that previously occurred outside of the communication network based on the scheduled event information received from outside of the communication network; responsive to identifying the previously detected network anomaly, determining a classification of the detected network anomaly as unexpected behavior based on a determination that the detected network anomaly is not similar to the previously detected network anomaly associated with the scheduled event that previously occurred outside of the communication network; responsive to determining the classification of the detected network anomaly as unexpected behavior, providing a report of the detected network anomaly in response to the classification of the detected network anomaly as unexpected behavior; responsive to identifying the previously detected network anomaly, determining a classification of the detected network anomaly as expected behavior of the communication network based on a determination that the previously detected network anomaly associated with the scheduled event occurring outside of the communication network is similar to the detected network anomaly; and responsive to determining the classification of the detected network anomaly as expected behavior, suppressing reporting of the detected network anomaly. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 19)
-
-
10. A device for analyzing network anomalies in a communication network, the device comprising at least one processor,
wherein the at least one processor is configured to: -
receive an indication of a network anomaly which was detected by monitoring the communication network; responsive to reception of the indication, communicate, to a data source external to the communication network, a request for scheduled event information from outside of the communication network; responsive to reception of the scheduled event information from outside of the communication network, identify a previously detected network anomaly associated with a scheduled event that previously occurred outside of the communication network based on the scheduled event information received from outside of the communication network; responsive to the identification of the previously detected network anomaly, determine a classification of the detected network anomaly as unexpected behavior based on a determination that the detected network anomaly is not similar to the previously detected network anomaly associated with the scheduled event that previously occurred outside of the communication network; responsive to the determination of the classification of the detected network anomaly as unexpected behavior, provide a report of the detected network anomaly in response to the classification of the detected network anomaly as unexpected behavior; responsive to the identification of the previously detected network anomaly, determine a classification of the detected network anomaly as expected behavior of the communication network based on a determination that the previously detected network anomaly associated with the scheduled event occurring outside of the communication network is similar to the detected network anomaly; and responsive to the determination of the classification of the detected network anomaly as expected behavior, suppress reporting of the detected network anomaly. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A system for analyzing network anomalies in a communication network, the system comprising:
-
a network anomaly detector device comprising a processor and memory; and a network anomaly analyzer device comprising a processor and memory, wherein the processor and memory of the network anomaly detector device are configured to detect a network anomaly by monitoring the communication network and provide an indication of the detected network anomaly to the network anomaly analyzer, and wherein the processor and memory of the network anomaly analyzer device are configured to; receive the indication of the detected network anomaly; responsive to reception of the indication, communicate, to a data source external to the communication network, a request for scheduled event information from outside of the communication network; responsive to reception of the scheduled event information from outside of the communication network, identify a previously detected network anomaly associated with a scheduled event that previously occurred outside of the communication network based on the scheduled event information received from outside of the communication network; responsive to the identification of the previously detected network anomaly, determine a classification of the detected network anomaly as unexpected behavior based on a determination that the detected network anomaly is not similar to the previously detected network anomaly associated with the scheduled event that previously occurred outside of the communication network; responsive to the determination of the classification of the detected network anomaly as unexpected behavior, provide a report of the detected network anomaly in response to the classification of the detected network anomaly as unexpected behavior; responsive to the identification of the previously detected network anomaly, determine a classification of the detected network anomaly as expected behavior of the communication network based on a determination that the previously detected network anomaly associated with the scheduled event occurring outside of the communication network is similar to the detected network anomaly; and responsive to the determination of the classification of the detected network anomaly as expected behavior, suppress reporting of the detected network anomaly.
-
Specification