Anomaly detection based on connection requests in network traffic
First Claim
Patent Images
1. A method comprising:
- forming, by a computer system, groups of traffic, traffic forming the groups of traffic including connection requests;
determining, by the computer system, a periodicity of a set of connection requests included in each group of the groups of traffic;
identifying, by the computer system, a particular group of the groups of traffic based on whether the periodicity of a particular set of connection requests in the particular group satisfies a periodicity criterion, wherein the periodicity criterion includes a timing of a regular occurrence between requests in a set of connection requests in a group from the groups of traffic;
determining, by the computer system, a frequency of a set of the groups of traffic, the set of groups of traffic including the particular group; and
identifying, by the computer system, the particular group as corresponding to an anomaly based on whether the frequency of the particular group satisfies a frequency criterion.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosed embodiments include a method performed by a computer system. The method includes forming groups of traffic, where each group includes a subset of detected connection requests. The method further includes determining a periodicity of connection requests for each group, identifying a particular group based on whether the periodicity of connection requests of the particular group satisfies a periodicity criterion, determining a frequency of the particular group in the traffic, and identifying the particular group as an anomaly based on whether the frequency of the particular group satisfies a frequency criterion.
-
Citations
30 Claims
-
1. A method comprising:
-
forming, by a computer system, groups of traffic, traffic forming the groups of traffic including connection requests; determining, by the computer system, a periodicity of a set of connection requests included in each group of the groups of traffic; identifying, by the computer system, a particular group of the groups of traffic based on whether the periodicity of a particular set of connection requests in the particular group satisfies a periodicity criterion, wherein the periodicity criterion includes a timing of a regular occurrence between requests in a set of connection requests in a group from the groups of traffic; determining, by the computer system, a frequency of a set of the groups of traffic, the set of groups of traffic including the particular group; and identifying, by the computer system, the particular group as corresponding to an anomaly based on whether the frequency of the particular group satisfies a frequency criterion. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A non-transitory computer-readable storage medium storing computer-readable instructions, the instructions comprising:
-
instructions for forming, by a computer system, groups of traffic, traffic forming the groups of traffic including connection requests; instructions for determining, by the computer system, a periodicity of a set of connection requests included in each of group of the groups of traffic; instructions for identifying, by the computer system, a particular group of the groups of traffic based on whether the periodicity of a particular set of connection requests of the particular group satisfies a periodicity criterion, wherein the periodicity criterion includes a timing of a regular occurrence between requests in a set of connection requests in a group from the groups of traffic; instructions for determining, by the computer system, a frequency of a set of the groups of traffic, the set of groups of traffic including the particular group; instructions for identifying, by the computer system, the particular group as corresponding to an anomaly based on whether the frequency of the particular group satisfies a frequency criterion.
-
-
29. A system, comprising:
-
a processor; and a memory having instructions executable by the processor to cause the system to; form groups of traffic, traffic forming the groups of traffic including connection requests; determine a periodicity of a set of connection requests included in each group of the groups of traffic; identify a particular group of the groups of traffic based on whether the periodicity of a particular set of connection requests in the particular group satisfies a periodicity criterion, wherein the periodicity criterion includes a timing of a regular occurrence between requests in a set of connection requests in a group from the groups of traffic; determine a frequency of a set of the groups of traffic, the set of groups of traffic including the particular group; and identify the particular group as corresponding to an anomaly based on whether the frequency of the particular group satisfies a frequency criterion. - View Dependent Claims (30)
-
Specification