Method and system for confident anomaly detection in computer network traffic
First Claim
Patent Images
1. A method for detecting and classifying network traffic anomalies, comprising:
- receiving a packet of information related to network traffic;
passing said packet to a plurality of network traffic analyzers, each network traffic analyzer capable of applying a corresponding one of a plurality of analytical algorithms to information contained in the packet;
receiving results of analysis performed by the plurality of analyzers, each result corresponding to an event type;
evaluating results of analysis performed by the plurality of analyzers as a collection by applying an exponentially decayed weight to each of the results, dependent upon event type, and calculating a cumulative confidence metric as a sum of the weights;
determining if the result of evaluation signifies a network traffic anomaly by comparing the cumulative confidence metric to a threshold; and
emitting an alert if the result of evaluation signifies a network traffic anomaly.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention relates to systems and methods for detecting anomalies in computer network traffic with fewer false positives and without the need for time-consuming and unreliable historical baselines. Upon detection, traffic anomalies can be processed to determine valuable network insights, including health of interfaces, devices and network services, as well as to provide timely alerts in the event of attack.
56 Citations
7 Claims
-
1. A method for detecting and classifying network traffic anomalies, comprising:
-
receiving a packet of information related to network traffic; passing said packet to a plurality of network traffic analyzers, each network traffic analyzer capable of applying a corresponding one of a plurality of analytical algorithms to information contained in the packet; receiving results of analysis performed by the plurality of analyzers, each result corresponding to an event type; evaluating results of analysis performed by the plurality of analyzers as a collection by applying an exponentially decayed weight to each of the results, dependent upon event type, and calculating a cumulative confidence metric as a sum of the weights; determining if the result of evaluation signifies a network traffic anomaly by comparing the cumulative confidence metric to a threshold; and emitting an alert if the result of evaluation signifies a network traffic anomaly. - View Dependent Claims (2)
-
-
3. A method for detecting and classifying network traffic anomalies, comprising:
-
configuring a data observation interval (dt); setting a traffic observation interval (T) as T=2n*dt, where n is a positive whole number; receiving a stream of packets of information related to network traffic over the traffic observation interval as a series of observations, wherein each observation in the series of observations is the data observation interval length; passing at least a portion of said stream of information packets to a network traffic analyzer; applying a wavelet series algorithm to a characteristic of the observations to perform a change detection, wherein at least one change points are detected; determining if said applying step indicates the existence of a network traffic anomaly by calculating a trend for the characteristic after the change point, and determining the anomaly exists when the trend is increasing; and emitting an alert if a network traffic anomaly is detected; wherein said applying and said determining step are practiced prior to any step of permanently storing said portion of said stream of information packets.
-
-
4. A method for assessing the condition of an interface of a network device, comprising:
-
receiving a stream of packets of information related to network traffic passing through said network device interface; passing at least a portion of said stream of information packets to a network traffic analyzer; applying at least one analytical algorithm to said portion of said stream of information packets, wherein the at least one analytical algorithm includes a change detection function to detect a change point, and analyzing a characteristic after the change point as a metric for assessing an operational condition of said network device interface; applying an exponentially decayed weight to the metric and calculating a cumulative confidence metric as a sum of the metric weight along with weights of other metrics; emitting an alert if said cumulative confidence metric indicates an abnormal operational condition of said network device interface; wherein said applying and said metric computation are practiced prior to any step of permanently storing said portion of said stream of information packets. - View Dependent Claims (5, 6, 7)
-
Specification