Classification of detected network anomalies using additional data

US 10,404,525 B2
Filed: 10/18/2013
Issued: 09/03/2019
Est. Priority Date: 10/18/2013
Status: Active Grant

First Claim

Patent Images

1. A method performed in a device that analyzes network anomalies in a communication network, the method comprising:

receiving an indication of a network anomaly which was detected by monitoring the communication network;

responsive to receiving the indication, communicating, to a data source external to the communication network, a request for scheduled event information from outside of the communication network;

responsive to receiving the scheduled event information from outside of the communication network, identifying a previously detected network anomaly associated with a scheduled event that previously occurred outside of the communication network based on the scheduled event information received from outside of the communication network;

responsive to identifying the previously detected network anomaly, determining a classification of the detected network anomaly as unexpected behavior based on a determination that the detected network anomaly is not similar to the previously detected network anomaly associated with the scheduled event that previously occurred outside of the communication network;

responsive to determining the classification of the detected network anomaly as unexpected behavior, providing a report of the detected network anomaly in response to the classification of the detected network anomaly as unexpected behavior;

responsive to identifying the previously detected network anomaly, determining a classification of the detected network anomaly as expected behavior of the communication network based on a determination that the previously detected network anomaly associated with the scheduled event occurring outside of the communication network is similar to the detected network anomaly; and

responsive to determining the classification of the detected network anomaly as expected behavior, suppressing reporting of the detected network anomaly.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network anomaly detector detects a network anomaly by monitoring a communication network and provides an indication of the detected network anomaly to a network anomaly analyzer. The network anomaly analyzer receives the indication of the detected network anomaly and, on the basis of data representing the detected network anomaly and additional data, e.g., from outside the communication network, performs classification of the detected network anomaly. Depending on the classification of the detected network anomaly, the network anomaly analyzer provides a report of the detected network anomaly to another node. If for example the detected network anomaly is classified as expected behavior, reporting of the detected network anomaly may be suppressed.

Citations

19 Claims

1. A method performed in a device that analyzes network anomalies in a communication network, the method comprising:
- receiving an indication of a network anomaly which was detected by monitoring the communication network;
  
  responsive to receiving the indication, communicating, to a data source external to the communication network, a request for scheduled event information from outside of the communication network;
  
  responsive to receiving the scheduled event information from outside of the communication network, identifying a previously detected network anomaly associated with a scheduled event that previously occurred outside of the communication network based on the scheduled event information received from outside of the communication network;
  
  responsive to identifying the previously detected network anomaly, determining a classification of the detected network anomaly as unexpected behavior based on a determination that the detected network anomaly is not similar to the previously detected network anomaly associated with the scheduled event that previously occurred outside of the communication network;
  
  responsive to determining the classification of the detected network anomaly as unexpected behavior, providing a report of the detected network anomaly in response to the classification of the detected network anomaly as unexpected behavior;
  
  responsive to identifying the previously detected network anomaly, determining a classification of the detected network anomaly as expected behavior of the communication network based on a determination that the previously detected network anomaly associated with the scheduled event occurring outside of the communication network is similar to the detected network anomaly; and
  
  responsive to determining the classification of the detected network anomaly as expected behavior, suppressing reporting of the detected network anomaly.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 19)
- - 2. The method according to claim 1, wherein the scheduled event information from outside the communication network comprises information on the scheduled event that previously occurred in a location of a service area of the communication network.
  - 3. The method according to claim 1,wherein determining said classification of the detected network anomaly as unexpected behavior further comprises:
    - obtaining one or more anomaly patterns associated with the previously detected network anomaly associated with the scheduled event that previously occurred outside of the communication network;
      
      determining a new anomaly pattern based on the detected network anomaly; and
      
      comparing the new anomaly pattern to the one or more anomaly patterns associated with the previously detected network anomaly associated with the scheduled event that previously occurred outside of the communication network; and
      
      determining the classification of the detected network anomaly as unexpected behavior based on the new anomaly pattern not matching the obtained one or more anomaly patterns associated with the previously detected network anomaly associated with the scheduled event that previously occurred outside of the communication network.
  - 4. The method of claim 3, wherein the new anomaly pattern includes a time series of behavior of an attribute of network data that deviates from a normal behavior of the attribute of network data.
  - 5. The method according to claim 1,wherein data representing the detected network anomaly comprises at least one of:
    - a timing of the detected network anomaly; and
      
      a location of the detected network anomaly.
  - 6. The method according to claim 1, further comprising:
    - determining a time-domain correlation of data representing the detected network anomaly with the scheduled event that previously occurred outside of the communication network; and
      
      determining a location-domain correlation of the data representing the detected network anomaly with the scheduled event that previously occurred outside of the communication network.
  - 7. The method according to claim 1, further comprising:
    - in response to determining the classification as unexpected behavior, providing feedback to a network anomaly detector used for detecting the network anomaly.
  - 8. The method of claim 1, wherein the scheduled event information comprises a schedule of events in the location of the service area of the communication network.
  - 9. The method of claim 1, further comprising:
    - responsive to providing the report, receiving feedback information to classify future detected network anomalies similar to the detected network anomaly as expected behavior.
  - 19. A computer program product comprising a non-transitory computer readable storage medium storing program code to be executed by at least one processor of a device for analyzing detected network anomalies, wherein execution of the program code causes the at least one processor to perform steps of the method according to claim 1.

10. A device for analyzing network anomalies in a communication network, the device comprising at least one processor,wherein the at least one processor is configured to:
- receive an indication of a network anomaly which was detected by monitoring the communication network;
  
  responsive to reception of the indication, communicate, to a data source external to the communication network, a request for scheduled event information from outside of the communication network;
  
  responsive to reception of the scheduled event information from outside of the communication network, identify a previously detected network anomaly associated with a scheduled event that previously occurred outside of the communication network based on the scheduled event information received from outside of the communication network;
  
  responsive to the identification of the previously detected network anomaly, determine a classification of the detected network anomaly as unexpected behavior based on a determination that the detected network anomaly is not similar to the previously detected network anomaly associated with the scheduled event that previously occurred outside of the communication network;
  
  responsive to the determination of the classification of the detected network anomaly as unexpected behavior, provide a report of the detected network anomaly in response to the classification of the detected network anomaly as unexpected behavior;
  
  responsive to the identification of the previously detected network anomaly, determine a classification of the detected network anomaly as expected behavior of the communication network based on a determination that the previously detected network anomaly associated with the scheduled event occurring outside of the communication network is similar to the detected network anomaly; and
  
  responsive to the determination of the classification of the detected network anomaly as expected behavior, suppress reporting of the detected network anomaly.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The device according to claim 10, wherein the scheduled event information from outside the communication network comprises information on the scheduled event that previously occurred in a location of a service area of the communication network.
  - 12. The device according to claim 10,wherein the at least one processor is further configured to:
    - obtain one or more anomaly patterns associated with the previously detected network anomaly associated with the scheduled event that previously occurred outside of the communication network;
      
      determine a new anomaly pattern based on the detected network anomaly; and
      
      compare the new anomaly pattern to the one or more anomaly patterns associated with the previously detected network anomaly associated with the scheduled event that previously occurred outside of the communication network; and
      
      determine the classification of the detected network anomaly as unexpected behavior based on the new anomaly pattern not matching the obtained one or more anomaly patterns associated with the previously detected network anomaly associated with the scheduled event that previously occurred outside of the communication network.
  - 13. The device according to claim 10,wherein data representing the detected network anomaly comprise at least one of:
    - a timing of the detected network anomaly; and
      
      a location of the detected network anomaly.
  - 14. The device according to claim 10,wherein the at least one processor is further configured to:
    - determine a time-domain correlation of data representing the detected network anomaly with the scheduled event that previously occurred outside of the communication network; and
      
      determine a location-domain correlation of the data representing the detected network anomaly with the scheduled event that previously occurred outside of the communication network.
  - 15. The device according to claim 10,wherein the at least one processor is configured to provide feedback to a network anomaly detector used for detecting the network anomaly in response to the determination of the classification of the detected anomaly as unexpected behavior.
  - 16. The device according to claim 10, further comprising:
    - an interface for sending the report of the detected network anomaly; and
      
      wherein the report comprises the classification of the detected network anomaly.
  - 17. The device according to claim 10, further comprising:
    - an interface for receiving the indication of the detected network anomaly from a network anomaly detector.

18. A system for analyzing network anomalies in a communication network, the system comprising:
- a network anomaly detector device comprising a processor and memory; and
  
  a network anomaly analyzer device comprising a processor and memory,wherein the processor and memory of the network anomaly detector device are configured to detect a network anomaly by monitoring the communication network and provide an indication of the detected network anomaly to the network anomaly analyzer, andwherein the processor and memory of the network anomaly analyzer device are configured to;
  
  receive the indication of the detected network anomaly;
  
  responsive to reception of the indication, communicate, to a data source external to the communication network, a request for scheduled event information from outside of the communication network;
  
  responsive to reception of the scheduled event information from outside of the communication network, identify a previously detected network anomaly associated with a scheduled event that previously occurred outside of the communication network based on the scheduled event information received from outside of the communication network;
  
  responsive to the identification of the previously detected network anomaly, determine a classification of the detected network anomaly as unexpected behavior based on a determination that the detected network anomaly is not similar to the previously detected network anomaly associated with the scheduled event that previously occurred outside of the communication network;
  
  responsive to the determination of the classification of the detected network anomaly as unexpected behavior, provide a report of the detected network anomaly in response to the classification of the detected network anomaly as unexpected behavior;
  
  responsive to the identification of the previously detected network anomaly, determine a classification of the detected network anomaly as expected behavior of the communication network based on a determination that the previously detected network anomaly associated with the scheduled event occurring outside of the communication network is similar to the detected network anomaly; and
  
  responsive to the determination of the classification of the detected network anomaly as expected behavior, suppress reporting of the detected network anomaly.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Larsson, Tony, Kvernvik, Tor, Moritz, Simon, Seyvet, Nicolas
Primary Examiner(s)
Hamza, Faruk
Assistant Examiner(s)
Decker, Cassandra L

Application Number

US15/026,502
Publication Number

US 20160254944A1
Time in Patent Office

2,146 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 41/0604   using filtering, e.g. reduc...

H04L 41/0613   based on the type or catego...

H04L 41/0618   based on the physical or lo...

H04L 41/064   involving time analysis

H04L 41/065   involving logical or physic...

H04L 41/14   Network analysis or design

H04L 41/142   using statistical or mathem...

H04L 43/067   using time frame reporting

H04L 63/1425   Traffic logging, e.g. anoma...

H04W 24/04   Arrangements for maintainin...

Classification of detected network anomalies using additional data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Classification of detected network anomalies using additional data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links