System and method for automated detection of anomalies in the values of configuration item parameters

US 10,635,557 B2
Filed: 02/21/2017
Issued: 04/28/2020
Est. Priority Date: 02/21/2017
Status: Active Grant

First Claim

Patent Images

1. A method of analyzing and prioritizing configuration parameters in an information technology system, comprising:

collecting configuration parameters from computer stations connected in a network implementing the information technology system;

storing the collected configuration parameters in a database;

analyzing the configuration parameters by a set of anomaly routines, wherein each anomaly routine checks for a specific type of anomaly and provides a score representing a level of conformity of the value of the configuration parameters to the anomaly;

aggregating the anomaly scores;

outputting a list of configuration parameters with an aggregated anomaly score;

wherein the anomaly routines include identifying a delta anomaly that estimates if the value of the configuration parameter is in an expected range of values;

wherein the expected range of values is obtained based on the values of the same configuration parameter in other stations of the network; and

/orwherein the anomaly routines include identifying a policy violation anomaly that verifies that the value of the configuration parameter does not violate a user specified rule.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for analyzing and prioritizing configuration parameters in an information technology system, including collecting configuration parameters from computer stations connected in a network implementing the information technology system, storing the collected configuration parameters in a database, analyzing the configuration parameters by a set of anomaly routines, wherein each anomaly routine checks for a specific type of anomaly and provides a score representing a level of conformity of the value of the configuration parameters to the anomaly, aggregating the anomaly scores; and outputting a list of configuration parameters with an aggregated anomaly score.

10 Citations

View as Search Results

20 Claims

1. A method of analyzing and prioritizing configuration parameters in an information technology system, comprising:
- collecting configuration parameters from computer stations connected in a network implementing the information technology system;
  
  storing the collected configuration parameters in a database;
  
  analyzing the configuration parameters by a set of anomaly routines, wherein each anomaly routine checks for a specific type of anomaly and provides a score representing a level of conformity of the value of the configuration parameters to the anomaly;
  
  aggregating the anomaly scores;
  
  outputting a list of configuration parameters with an aggregated anomaly score;
  
  wherein the anomaly routines include identifying a delta anomaly that estimates if the value of the configuration parameter is in an expected range of values;
  
  wherein the expected range of values is obtained based on the values of the same configuration parameter in other stations of the network; and
  
  /orwherein the anomaly routines include identifying a policy violation anomaly that verifies that the value of the configuration parameter does not violate a user specified rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the analyzing further comprises:
    - comparing the values of configuration parameters of a station from a later time with previous values of configuration parameters of the station;
      
      determining changes in the configuration parameters by said comparing;
      
      analyzing the determined changes by a set of anomaly routines, wherein each anomaly routine checks for a specific type of anomaly and provides a score representing the level of conformity of the changes in the configuration parameters to the anomaly.
  - 3. The method of claim 2, wherein the anomaly routines analyze the configuration parameters and/or changes based on previous values, later values and meta-data related to the configuration parameters.
  - 4. The method of claim 2, wherein the anomaly routines include comparing the data type of the previous value to the data type of the value at the later time and identifying an anomaly if the data type changed.
  - 5. The method of claim 2, wherein the anomaly routines include identifying a relative difference anomaly that measures the difference between the previous value and the later value relative to the previous value.
  - 6. The method of claim 5, wherein a larger relative difference is designated by a higher anomaly score.
  - 7. The method of claim 5, wherein a downgraded software version is designated by a higher anomaly score than an upgraded version.
  - 8. The method of claim 5, wherein an IP address change designating a network change is designated by a higher anomaly score than a subnet address change in the same local area network.
  - 9. The method of claim 1, wherein the anomaly routines include identifying a benchmark anomaly that estimates if the value of the configuration parameter is in an expected range of values;
    - wherein the expected range of values is obtained based on the values of the same configuration parameter in other stations of the network.
  - 10. The method of claim 9, wherein the score for the benchmark anomaly is calculated as a Kullback-Leibler divergence between the likelihood of an expected value and the value of the configuration parameter.
  - 11. The method of claim 1, wherein the score for the delta anomaly is calculated as a Kullback-Leibler divergence between the likelihood of an expected value and the value of the configuration parameter.
  - 12. The method of claim 1, wherein the anomaly routines include identifying a consistency anomaly that verifies that the value of the configuration parameter is consistent with the changes in similar stations.
  - 13. A non-transitory computer readable medium for storing program code to execute the method according to claim 1.

14. A method of analyzing and prioritizing configuration parameters in an information technology system, comprising:
- collecting configuration, parameters from computer stations connected in a network implementing the information technology system;
  
  storing the collected configuration parameters in a database;
  
  analyzing the configuration parameters by a set of anomaly routines, wherein each anomaly routine checks for a specific type of anomaly and provides a score representing a level of conformity of the value of the configuration parameters to the anomaly;
  
  aggregating the anomaly scores;
  
  outputting a list of configuration parameters with an aggregated anomaly score;
  
  wherein the analyzing further comprises;
  
  comparing the values of configuration parameters of a station from a later time with previous values of configuration parameters of the station;
  
  determining changes in the configuration parameters by said comparing;
  
  analyzing the determined changes by a set of anomaly routines, wherein each anomaly routine checks for a specific type of anomaly and provides a score representing the level of conformity of the changes in the configuration parameters to the anomaly;
  
  wherein the anomaly routines include comparing the data type of the previous value to the data type of the value at the later time and identifying an anomaly if the data type changed;
  
  wherein a data type change from a numerical value to a non-numerical value or vice versa is more severe and is designated by a higher anomaly score than a change from one numerical representation to another.

15. A system for analyzing and prioritizing configuration parameters of applications in an information technology system, comprising:
- an agent application configured to collect configuration parameters of applications executed on computer stations connected in a network implementing the information technology system;
  
  a database configured to store the collected configuration parameters;
  
  a server computer configured to execute a program that analyzes the configuration parameters by a set of anomaly routines, wherein each anomaly routine checks for a specific type of anomaly and provides a score representing a level of conformity of the value of the configuration parameter to the anomaly;
  
  aggregating the anomaly scores; and
  
  outputting a list of configuration parameters with an aggregated anomaly score;
  
  wherein the anomaly routines include identifying a delta anomaly that estimates if the value of the configuration parameter is in an expected range of values;
  
  wherein the expected range of values is obtained based on the values of the same configuration parameter in other stations of the network; and
  
  /orwherein the anomaly routines include identifying a policy violation anomaly that verifies that the value of the configuration parameter does not violate a user specified rule.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein analyzing the configuration parameters further comprises:
    - comparing the values of configuration parameters of a station from a later time with previous values of configuration parameters of the station;
      
      determining changes in the configuration parameters by said comparing;
      
      analyzing the determined changes by a set of anomaly routines, wherein each anomaly routine checks for a specific type of anomaly and provides a score representing the level of conformity of the changes in the configuration parameters to the anomaly.
  - 17. The system of claim 16, wherein the anomaly routines include comparing the data type of the previous value to the data type of the value at the later time and identifying an anomaly if the data type changed.
  - 18. The system of claim 16, wherein the anomaly routines include identifying a relative difference anomaly that measures the difference between the previous value and the value at the later time relative to the previous value.
  - 19. The system of claim 18, wherein a larger relative difference is designated by a higher anomaly score.
  - 20. The system of claim 18, wherein a downgraded software version is designated by a higher anomaly score than an upgraded version.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ESI Software Ltd.
Original Assignee
ESI Software Ltd.
Inventors
Kaluza, Bostjan, Oz, Eyal, Gilenson, Alexander Sasha
Primary Examiner(s)
Bullock, Joshua

Application Number

US15/437,465
Publication Number

US 20180239682A1
Time in Patent Office

1,162 Days
Field of Search

707748
US Class Current
CPC Class Codes

G06F 11/3006   where the computing system ...

G06F 11/3051   Monitoring arrangements for...

G06F 11/3082   the data filtering being ac...

G06F 16/2365   Ensuring data consistency a...

G06F 16/2379   Updates performed during on...

G06F 7/02   Comparing digital values G0...

System and method for automated detection of anomalies in the values of configuration item parameters

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for automated detection of anomalies in the values of configuration item parameters

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links