Tracking the dynamics of application-centric clusters in a virtualized datacenter
First Claim
1. A method for detecting anomalies in traffic patterns related to a first network address associated with an element in a computer network, the method comprising:
- during each of a plurality of time periods, analyzing network traffic characteristics for traffic relating to the first network address to create a probabilistic distribution for flows that start or end at the first network address;
comparing the probabilistic distributions of the flows that are created for the plurality of time periods to identify at least one particular time period that has a particular probabilistic distribution of flows that diverges from other probabilistic distributions created for other time periods; and
identifying the particular time period for a network administrator to analyze in order to identify a source for an anomalous event that has caused the particular probabilistic distribution to diverge.
1 Assignment
0 Petitions
Accused Products
Abstract
For a managed network including multiple nodes providing multiple services and executing multiple applications some embodiments provide a method for generating groupings of network addresses associated with different applications or services. The method analyzes network traffic patterns using a probabilistic topic modeling algorithm to generate the groupings of network addresses. In some embodiments, data is collected and analyzed periodically. A network administrator defines the granularity of the time stamps in some embodiments to monitor changes in network traffic patterns over time for each network address or node and/or for the network as a whole. For each network address or node, a probability distribution over the topics at a given time is stored in some embodiments. The stored distributions are then used to determine a divergence over time of the application or service provided by the network address or node. Additionally, the stored distributions can be used to detect anomalous behavior.
-
Citations
20 Claims
-
1. A method for detecting anomalies in traffic patterns related to a first network address associated with an element in a computer network, the method comprising:
-
during each of a plurality of time periods, analyzing network traffic characteristics for traffic relating to the first network address to create a probabilistic distribution for flows that start or end at the first network address; comparing the probabilistic distributions of the flows that are created for the plurality of time periods to identify at least one particular time period that has a particular probabilistic distribution of flows that diverges from other probabilistic distributions created for other time periods; and identifying the particular time period for a network administrator to analyze in order to identify a source for an anomalous event that has caused the particular probabilistic distribution to diverge. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory machine readable medium storing a program for execution by at least one processing unit, the program for detecting anomalies in traffic patterns related to a first network address associated with an element in a computer network, the program comprising sets of instructions for:
-
during each of a plurality of time periods, analyzing network traffic characteristics for traffic relating to the first network address to create a probabilistic distribution for flows that start or end at the first network address; comparing the probabilistic distributions of the flows that are created for the plurality of time periods to identify at least one particular time period that has a particular probabilistic distribution of flows that diverges from other probabilistic distributions created for other time periods; and identifying the particular time period for a network administrator to analyze in order to identify a source for an anomalous event that has caused the particular probabilistic distribution to diverge. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
Specification