Method and apparatus for rapid location of anomalies in IP traffic logs

US 20050207413A1
Filed: 03/18/2005
Published: 09/22/2005
Est. Priority Date: 03/18/2004
Status: Active Grant

First Claim

Patent Images

1. A method for identifying an anomaly, comprising:

receiving at least one unit of data, where said at least one unit of data is associated with an event;

monitoring at least one object associated with said event;

ranking said at least one object on a rank list; and

identifying an anomaly in accordance with a movement of said at least one object within said rank list.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An efficient method and apparatus for rapidly detecting anomalies from massive data streams is disclosed. In one embodiment, the method enables near real time detection of anomaly behavior in networks. The invention rapidly identifies the addresses that require further analysis and reduces the cost of monitoring, the cost of managing the security of the network as well as reduces the time needed to initiate mitigation steps.

Citations

20 Claims

1. A method for identifying an anomaly, comprising:
- receiving at least one unit of data, where said at least one unit of data is associated with an event;
  
  monitoring at least one object associated with said event;
  
  ranking said at least one object on a rank list; and
  
  identifying an anomaly in accordance with a movement of said at least one object within said rank list.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein said at least one object comprises at least one of:
    - a source Internet Protocol (IP) address;
      
      a destination Internet Protocol (IP) address, a pair of source and destination IP addresses, a port.
  - 3. The method of claim 1, wherein said movement comprises at least one of:
    - a rate of entry of said at least one object to said rank list, a rate of exit of said at least one object from said rank list, and a rate of movement of said at least one object between rankings of said rank list.
  - 4. The method of claim 3, further comprising:
    - comparing said ranking of said at least one object to historical or condition-defined data.
  - 5. The method of claim 4, wherein said historical or condition-defined data is captured in predefined increment of time.
  - 6. The method of claim 3, further comprising:
    - comparing said ranking of said at least one object to data collected for siblings or cousins.
  - 7. The method of claim 1, wherein said at least one unit of data is at least one packet.
  - 8. The method of claim 7, wherein said at least one packet is received at a communication network.
  - 9. The method of claim 8, wherein said communication network is a packet network.
  - 10. The method of claim 1, further comprising:
    - applying a mitigating function for addressing said anomaly;
      
      or generating a warning flag.

11. A computer-readable medium having stored thereon a plurality of instructions, the plurality of instructions including instructions which, when executed by a processor, cause the processor to perform the steps of method for identifying an anomaly, comprising:
- receiving at least one unit of data, where said at least one unit of data is associated with an event;
  
  monitoring at least one object associated with said event;
  
  ranking said at least one object on a rank list; and
  
  identifying an anomaly in accordance with a movement of said at least one object within said rank list.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The computer-readable medium of claim 11, wherein said at least one object comprises at least one of:
    - a source Internet Protocol (IP) address;
      
      a destination Internet Protocol (IP) address, a pair of source and destination IP addresses, a port.
  - 13. The computer-readable medium of claim 11, wherein said movement comprises at least one of:
    - a rate of entry of said at least one object to said rank list, a rate of exit of said at least one object from said rank list, and a rate of movement of said at least one object between rankings of said rank list.
  - 14. The computer-readable medium of claim 13, further comprising:
    - comparing said ranking of said at least one object to historical or condition-defined data.
  - 15. The computer-readable medium of claim 14, wherein said historical or condition-defined data is captured in predefined increment of time.
  - 16. The computer-readable medium of claim 13, further comprising:
    - comparing said ranking of said at least one object to data collected for siblings or cousins.
  - 17. The computer-readable medium of claim 11, wherein said at least one unit of data is at least one packet.
  - 18. The computer-readable medium of claim 17, wherein said at least one packet is received at a communication network.
  - 19. The computer-readable medium of claim 18, wherein said communication network is a packet network.

20. An apparatus for identifying an anomaly, comprising:
- means for receiving at least one unit of data, where said at least one unit of data is associated with an event;
  
  means for monitoring at least one object associated with said event;
  
  means for ranking said at least one object on a rank list; and
  
  means for identifying an anomaly in accordance with a movement of said at least one object within said rank list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Corporation (AT&T, Inc.)
Original Assignee
AT&T Corporation (AT&T, Inc.)
Inventors
Lerner, Michah

Granted Patent

US 7,738,373 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/389
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

H04L 41/0631   using root cause analysis; ...

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

Method and apparatus for rapid location of anomalies in IP traffic logs

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for rapid location of anomalies in IP traffic logs

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links