Vector-based anomaly detection
First Claim
Patent Images
1. A hybrid-fabric apparatus for detecting anomalous behavior of a network fabric comprising a plurality of network nodes, the hybrid-fabric apparatus comprising:
- at least one memory configured to at least store a plurality of behavior metrics;
at least one processor coupled to the at least one memory; and
software code configured to use the at least one processor, access the at least one memory, and cause the apparatus to at least;
disaggregate a set of anomaly detection criteria into a plurality of anomaly criterion to be distributed among the plurality of network nodes, the set of anomaly detection criteria characterizing a variation from a baseline vector corresponding to nominal traffic flow through the network fabric, and the plurality of anomaly criterion comprising a function of a measured vector of behavior metrics comprising a threshold;
aggregate anomaly criterion statuses calculated by at least some of the plurality of network nodes to detect anomalous behavior, each anomaly criterion status being calculated with respect to a network node as a function of the network node'"'"'s anomaly criterion and the measured behavior vector of behavior metrics; and
initiate a notification regarding the anomalous behavior.
4 Assignments
0 Petitions
Accused Products
Abstract
A hybrid-fabric apparatus comprises a black box memory configured to store a plurality of behavior metrics and an anomaly agent coupled to the black box. The anomaly agent determines a baseline vector corresponding to nominal behavior of the fabric, wherein the baseline vector comprises at least two different behavior metrics that are correlated with each other. The anomaly agent disaggregates anomaly detection criteria into a plurality of anomaly criterion to be distributed among network nodes in the fabric.
56 Citations
14 Claims
-
1. A hybrid-fabric apparatus for detecting anomalous behavior of a network fabric comprising a plurality of network nodes, the hybrid-fabric apparatus comprising:
-
at least one memory configured to at least store a plurality of behavior metrics; at least one processor coupled to the at least one memory; and software code configured to use the at least one processor, access the at least one memory, and cause the apparatus to at least; disaggregate a set of anomaly detection criteria into a plurality of anomaly criterion to be distributed among the plurality of network nodes, the set of anomaly detection criteria characterizing a variation from a baseline vector corresponding to nominal traffic flow through the network fabric, and the plurality of anomaly criterion comprising a function of a measured vector of behavior metrics comprising a threshold; aggregate anomaly criterion statuses calculated by at least some of the plurality of network nodes to detect anomalous behavior, each anomaly criterion status being calculated with respect to a network node as a function of the network node'"'"'s anomaly criterion and the measured behavior vector of behavior metrics; and initiate a notification regarding the anomalous behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeNant Holdings IP, LLC (NantWorks, LLC)
-
Original AssigneeNant Holdings IP, LLC (NantWorks, LLC)
-
InventorsWittenschlaeger, Thomas
-
Primary Examiner(s)Parsons, Theodore C
-
Application NumberUS16/248,305Publication NumberTime in Patent Office371 DaysField of SearchUS Class CurrentCPC Class CodesG06F 21/552 involving long-term monitor...H04L 63/1408 by monitoring network traff...H04L 63/1425 Traffic logging, e.g. anoma...H04L 63/18 using different networks or...
