Systems and methods for identifying anomalies in network data streams
First Claim
Patent Images
1. A method of identifying anomalous traffic in a communications network, comprising:
- performing traffic analysis on network traffic to produce traffic analysis data;
removing data associated with expected traffic from the traffic analysis data; and
identifying remaining traffic analysis data as anomalous traffic.
4 Assignments
0 Petitions
Accused Products
Abstract
A traffic auditor (130) analyzes traffic in a communications network (100). The traffic auditor (130) performs traffic analysis on traffic in the communications network (100) and develops a model of expected traffic behavior based on the traffic analysis. The traffic auditor (130) analyzes traffic in the communications network (100) to identify a deviation from the expected traffic behavior model.
360 Citations
44 Claims
-
1. A method of identifying anomalous traffic in a communications network, comprising:
-
performing traffic analysis on network traffic to produce traffic analysis data;
removing data associated with expected traffic from the traffic analysis data; and
identifying remaining traffic analysis data as anomalous traffic. - View Dependent Claims (2, 3, 4)
-
-
5. A device for auditing network traffic, comprising:
-
a memory configured to store instructions; and
a processing unit configured to execute the instructions in memory to;
conduct traffic analysis on the network traffic to produce traffic analysis data, identify expected network traffic, eliminate data associated with the expected traffic from the traffic analysis data, and identify remaining traffic analysis data as anomalous traffic. - View Dependent Claims (6, 7, 8)
-
-
9. A computer-readable medium containing instructions for controlling at least one processor to perform a method of identifying anomalous traffic in a communications network, the method comprising:
-
performing traffic analysis on network traffic to produce traffic analysis data;
identifying expected network traffic;
removing data associated with the expected traffic from the traffic analysis data; and
identifying remaining traffic analysis data as anomalous traffic. - View Dependent Claims (10, 11, 12)
-
-
13. A method of analyzing traffic in a communications network, comprising:
-
performing traffic analysis on traffic in the communications network;
developing a model of expected traffic behavior based on the traffic analysis; and
analyzing traffic in the communications network to identify a deviation from the expected traffic behavior model. - View Dependent Claims (14, 15, 16)
-
-
17. A device for analyzing traffic in a communications network, comprising:
-
a memory configured to store instructions; and
a processing unit configured to execute the instructions in memory to;
conduct traffic analysis on traffic in the communications network;
construct a model of expected traffic behavior based on the traffic analysis; and
analyze traffic in the communications network to identify a deviation from the expected traffic behavior model. - View Dependent Claims (18, 19, 20)
-
-
21. A computer-readable medium containing instructions for controlling at least one processor to perform a method for analyzing traffic in a communications network, the method comprising:
-
conducting traffic analysis on traffic at one or more locations in the communications network;
constructing a model of expected traffic behavior based on the traffic analysis; and
analyzing traffic at the one or more locations in the communications network to identify a deviation from the expected traffic behavior model. - View Dependent Claims (22, 23, 24)
-
-
25. A method of tracing suspicious traffic flows back to a point of origin in a network, comprising:
-
performing traffic analysis on one or more flows of network traffic;
identifying at least one of the one or more flows as a suspicious flow based on the traffic analysis; and
tracing the suspicious flow to a point of origin in the network. - View Dependent Claims (26, 27, 28)
-
-
29. A traffic auditing device, comprising:
-
a memory configured to store instructions; and
a processing unit configured to execute the instructions in memory to;
conduct traffic analysis on one or more flows of network traffic, identify at least one of the one or more flows as a suspicious flow based on the traffic analysis, and trace the suspicious flow to a point of origin in the network. - View Dependent Claims (30, 31, 32)
-
-
33. A computer-readable medium containing instructions for controlling at least one processor to perform a method of tracing suspicious traffic flows back to a point of origin in a network, the method comprising:
-
conducting traffic analysis on one or more flows of network traffic;
identifying at least one of the one or more flows as a suspicious flow based on the traffic analysis; and
tracing the suspicious flow to a point of origin in the network. - View Dependent Claims (34, 35, 36)
-
-
37. A system for analyzing traffic in a communications network, comprising:
-
means for performing traffic analysis on traffic in the communications network;
means for developing a model of expected traffic behavior based on the traffic analysis; and
means for analyzing traffic in the communications network to identify a deviation from the expected traffic behavior model.
-
-
38. A method of providing one or more authorizations to at least one of a source and destination of traffic in a communications network, comprising:
-
performing traffic analysis on traffic between the source and destination to determine whether the traffic between the source and destination was intercepted or contaminated; and
selectively issuing, based on results of the traffic analysis, one or more authorizations to the at least one of the source and destination, the one or more authorizations indicating that the traffic between the source and destination was not intercepted or contaminated. - View Dependent Claims (39, 40, 41, 42)
-
-
43. A device for providing one or more authorizations to at least one of a source and destination of traffic in a communications network, comprising:
-
a memory configured to store instructions; and
a processing unit configured to execute the instructions in memory to;
perform traffic analysis on traffic between the source and destination to determine whether the traffic between the source and destination was intercepted or contaminated, and selectively issue, based on results of the traffic analysis, one or more authorizations to the at least one of the source and destination, the one or more authorizations indicating that the traffic between the source and destination was not intercepted or contaminated.
-
-
44. A computer-readable medium containing instructions for controlling at least one processor to perform a method of providing one or more authorizations to at least one of a source and destination of traffic in a communications network, the method comprising:
-
performing traffic analysis on traffic between the source and destination to determine whether the traffic between the source and destination was intercepted or contaminated; and
selectively issuing, based on results of the traffic analysis, one or more authorizations to the at least one of the source and destination, the one or more authorizations indicating that the traffic between the source and destination was not intercepted or contaminated.
-
Specification