System, computer-usable medium and method for monitoring network activity

US 20050234920A1
Filed: 12/22/2004
Published: 10/20/2005
Est. Priority Date: 04/05/2004
Status: Abandoned Application

First Claim

Patent Images

1. A system, coupled to a network, the system comprising:

a collection module for collecting a stream of flow records from an observation point within the network, wherein the stream of flow records is collected in accordance with a first set of configuration parameters;

a statistical module for generating a statistical result from the stream of flow records as each flow record is collected, wherein the statistical result is generated in accordance with a second set of configuration parameters;

an analysis module for analyzing the statistical result to monitor network activity associated with the observation point, wherein the statistical result is analyzed in accordance with a third set of configuration parameters; and

wherein the first, second, and third sets of configuration parameters can be modified at any time, after abnormal activity is detected by the analysis module, to alter a magnification level by which a subset of the network activity is subsequently monitored.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system couples to a network and monitors activity thereon. The system comprises one or more capture modules. Each capture module comprises a collection, statistical, and analysis modules. The collection module collects flow records from an observation point within the network, wherein the flow records are collected per a first set of configuration parameters. The statistical module generates a statistical result from the flow records as each flow record is collected, wherein the statistical result is generated per a second set of configuration parameters. The analysis module analyzes the statistical result to monitor network activity associated with the observation point, wherein the statistical result is analyzed per a third set of configuration parameters. The first, second and third sets of configuration parameters can generally be modified at any time, after abnormal activity is detected, to alter a magnification level by which a subset of the network activity is monitored.

199 Citations

28 Claims

1. A system, coupled to a network, the system comprising:
- a collection module for collecting a stream of flow records from an observation point within the network, wherein the stream of flow records is collected in accordance with a first set of configuration parameters;
  
  a statistical module for generating a statistical result from the stream of flow records as each flow record is collected, wherein the statistical result is generated in accordance with a second set of configuration parameters;
  
  an analysis module for analyzing the statistical result to monitor network activity associated with the observation point, wherein the statistical result is analyzed in accordance with a third set of configuration parameters; and
  
  wherein the first, second, and third sets of configuration parameters can be modified at any time, after abnormal activity is detected by the analysis module, to alter a magnification level by which a subset of the network activity is subsequently monitored.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The system as recited in claim 1, wherein the subset of network activity corresponds to a portion of the network activity where the abnormal activity occurred.
  - 3. The system as recited in claim 2, further comprising one or more capture modules, each encapsulating the collection module and at least one of the statistical and analysis modules, wherein the one or more capture modules are implemented with computer-executable program instructions.
  - 4. The system as recited in claim 3, wherein the system further comprises a data storage device for storing the computer-executable program instructions and a processing device for executing the computer-executable program instructions.
  - 5. The system as recited in claim 1, wherein a user interface coupled to the system is configured for graphically displaying at least one of the statistical result and an analysis result thereof, and accepting user commands for modifying the first, second and third sets of configuration parameters.
  - 6. The system as recited in claim 1, wherein the collection module is configured for collecting the stream of flow records from a network device arranged on the network and associated with the observation point.
  - 7. The system as recited in claim 6, wherein the observation point comprises the network device.
  - 8. The system as recited in claim 6, wherein the observation point comprises an additional network device arranged within the network.
  - 9. The system as recited in claim 6, wherein the observation point comprises a link arranged between the network device and the additional network device.
  - 10. The system as recited in claim 1, wherein the first set of configuration parameters designates a subset of data to be collected from each flow record in the stream, and a time interval over which to collect the subset of data.
  - 11. The system as recited in claim 10, wherein the subset of data corresponds to one or more record event fields selected from a group comprising a source identifier, a destination identifier, a start time, an end time, and one or more traffic statistics.
  - 12. The system as recited in claim 10, wherein the time interval is selected from a range of programmable time values extending between about one second and about thirty days.
  - 13. The system as recited in claim 10, wherein the statistical module is configured for generating the statistical result during the time interval as each subset of data is collected from the stream of flow records.
  - 14. The system as recited in claim 13, wherein the second set of configuration parameters designates a type of statistical model to be used for generating the statistical result, in addition to one or more properties associated with the designated type of statistical model.
  - 15. The system as recited in claim 13, wherein the analysis module is configured for analyzing the statistical result upon completion of the time interval.
  - 16. The system as recited in claim 15, wherein the third set of configuration parameters designates a type of analysis model to be used for analyzing the statistical result, in addition to one or more properties associated with the designated type of analysis model.
  - 17. The system as recited in claim 1, wherein the magnification level is altered by modifying at least one of the first, second and third configuration parameters to respectively collect, generate or analyze a subsequent stream of flow records in a different manner.

18. A computer-executable method for isolating a source of abnormal network activity, the method comprising:
- collecting a stream of flow records associated with a plurality of observation points within a network during a first time interval;
  
  generating a plurality of statistical results by grouping the flow records, as each flow record is collected, by observation point and in accordance with a set of configuration parameters;
  
  analyzing the plurality of statistical results upon completion of the first time interval to monitor network activity associated with each of the plurality of observation points;
  
  modifying the set of configuration parameters, if abnormal network activity is detected during the step of analyzing, to alter a magnification level by which a subset of the network activity is subsequently monitored; and
  
  repeating the steps of collecting, generating, analyzing, and modifying over one or more consecutive time intervals until the source of the abnormal network activity is isolated to one or more of the plurality of observation points.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. The computer-executable method as recited in claim 18, wherein the plurality of observation points comprises a plurality of network devices arranged within the network, on a boundary of the network, or both.
  - 20. The computer-executable method as recited in claim 19, wherein the plurality of observation points further comprises a plurality of links arranged between the plurality of network devices.
  - 21. The computer-executable method as recited in claim 18, wherein the set of configuration parameters designates a subset of data to be collected from each flow record in the stream, the first time interval over which to collect the subset of data, a type of statistical model to be used for generating the statistical results, and one or more properties associated with the designated type of statistical model.
  - 22. The computer-executable method as recited in claim 18, wherein said analyzing generates a plurality of analysis results by calculating a density function for each of the plurality of statistical results.
  - 23. The computer-executable method as recited in claim 22, wherein said analyzing monitors network activity by comparing the plurality of analysis results to a predefined threshold value.
  - 24. The computer-executable method as recited in claim 22, wherein said analyzing monitors network activity by comparing the plurality of analysis results to a predefined shape.
  - 25. The computer-executable method as recited in claim 22, wherein said analyzing monitors network activity without requiring previous statistical or analysis results to be stored for comparison purposes.
  - 26. The computer-executable method as recited in claim 18, wherein said modifying enables a subsequent stream of flow records to be collected and a subsequent plurality of statistical results to be generated in greater detail than they were previously collected and generated.

27. A computer-usable medium, comprising:
- a first set of program instructions executable on a computer system for collecting a stream of flow records from a plurality of observation points within a network;
  
  a second set of program instructions executable on a computer system for generating a plurality of statistical results by grouping the flow records, as each flow record is collected, by observation point and in accordance with a set of configuration parameters;
  
  a third set of program instructions executable on a computer system for analyzing the plurality of statistical results to monitor network activity associated with each of the plurality of observation points; and
  
  wherein any of the first, second and third program instructions can be programmably reconfigured at any time, after abnormal activity is detected by the third set of program instructions, to alter a magnification level by which a subset of the network activity is subsequently monitored.
- View Dependent Claims (28)
- - 28. The computer-usable medium as recited in claim 27, wherein the computer-usable medium comprises a storage device, a processing device or a transmission medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Rhodes, Lee

Application Number

US11/021,942
Publication Number

US 20050234920A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 41/142   using statistical or mathem...

H04L 43/026   using flow identification

Y02D 30/50   in wire-line communication ...

System, computer-usable medium and method for monitoring network activity

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

199 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

System, computer-usable medium and method for monitoring network activity

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

199 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links