Method and system for detecting a network anomaly in a network

US 20060047807A1
Filed: 08/25/2004
Published: 03/02/2006
Est. Priority Date: 08/25/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for detecting a network anomaly in a network, comprising:

collecting management information base (MIB) data from the network at an interval;

constructing a time series of the collected data;

decomposing the time series of the collected data;

constructing an energy plot based on the decomposed time series; and

analyzing the energy plot to determine a sign of a network anomaly event.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting a network anomaly in a network includes collecting management information base (MIB) data from the network at an interval and constructing a time series of the collected data. The method also includes decomposing the time series of the collected data in the wavelet domain, constructing an energy plot based on the time series decomposed in the wavelet domain and analyzing the energy plot to determine a sign of a network anomaly event.

81 Citations

View as Search Results

31 Claims

1. A method for detecting a network anomaly in a network, comprising:
- collecting management information base (MIB) data from the network at an interval;
  
  constructing a time series of the collected data;
  
  decomposing the time series of the collected data;
  
  constructing an energy plot based on the decomposed time series; and
  
  analyzing the energy plot to determine a sign of a network anomaly event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein:
    - decomposing the time series of the collected data comprises decomposing the time series of the collected data in the wavelet domain; and
      
      constructing an energy plot based on the decomposed time series comprises constructing an energy plot based on the time series decomposed in the wavelet domain.
  - 3. The method of claim 2, wherein analyzing the energy plot to determine a sign of a network anomaly event comprises analyzing the energy plot to determine a deviation from linear behavior.
  - 4. The method of claim 3, wherein the deviation from linear behavior comprises an abnormal decrease in the energy value relative to the linear behavior.
  - 5. The method of claim 1, further comprising generating an alarm if a sign of a network anomaly event is detected.
  - 6. The method of claim 2, further comprising:
    - repeating the collecting MIB data, constructing a time series, decomposing the time series in the wavelet domain, constructing an energy plot and analyzing the energy plot a selected number of times; and
      
      generating an alarm indicating a network anomaly event if a sign of a network anomaly event is detected a selected threshold of the selected number of times.
  - 7. The method of claim 6, further comprising generating a notification of healthy traffic if a sign of a network anomaly event is not detected the selected threshold of the selected number of times.
  - 8. The method of claim 2, wherein decomposing the time series of the collected data in a wavelet domain comprises decomposing the time series of the collected data using the Harr wavelet function.
  - 9. The method of claim 1, wherein the network anomaly event comprises at least one of duplication of IP address space, packet filtering misconfiguration, permanent routing loop and distributed denial of service attack.
  - 10. The method of claim 1, wherein collecting MIB data from the network comprises collecting packet count statistics.

11. A system for detecting a network anomaly in a network comprising a network device comprising:
- a memory operable to collect management information base (MIB) data from the network at an interval; and
  
  a controller coupled to the memory, the controller operable to;
  
  construct a time series of the collected data;
  
  decompose the time series of the collected data;
  
  construct an energy plot based on the decomposed time series; and
  
  analyze the energy plot to determine a sign of a network anomaly event.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein:
    - a controller operable to decompose the time series of the collected data comprises a controller operable to decompose the time series of the collected data in the wavelet domain; and
      
      a controller operable to construct an energy plot based on the decomposed time series comprises a controller operable to construct an energy plot based on the time series decomposed in the wavelet domain.
  - 13. The system of claim 12, wherein a controller operable to analyze the energy plot to determine a sign of a network anomaly event comprises a controller operable to analyze the energy plot to determine a deviation from linear behavior.
  - 14. The system of claim 13, wherein the deviation from linear behavior comprises an abnormal decrease in the energy value relative to the linear behavior.
  - 15. The system of claim 11, wherein the controller is further operable to generate an alarm if a sign of a network anomaly event is detected.
  - 16. The system of claim 12, wherein the controller is further operable to:
    - repeat the collecting MIB data, constructing a time series, decomposing the time series in the wavelet domain, constructing an energy plot and analyzing the energy plot a selected number of times; and
      
      generate an alarm indicating a network anomaly event if a sign of a network anomaly event is detected a selected threshold of the selected number of times.
  - 17. The system of claim 16, wherein the controller is further operable to generate a notification of healthy traffic if a sign of a network anomaly event is not detected the selected threshold of the selected number of times.
  - 18. The system of claim 12, wherein a controller operable to decompose the time series of the collected data in a wavelet domain comprises a controller operable to decompose the time series of the collected data using the Harr wavelet function.
  - 19. The system of claim 11, wherein the network anomaly event comprises at least one of duplication of IP address space, packet filtering misconfiguration, permanent routing loop and distributed denial of service attack.
  - 20. The system of claim 11, wherein a memory operable to collect MIB data from the network comprises a memory operable to collect packet count statistics.

21. Software embodied in a computer readable medium, the computer readable medium comprising code operable to:
- collect management information base (MIB) data from the network at an interval;
  
  construct a time series of the collected data;
  
  decompose the time series of the collected data;
  
  construct an energy plot based on the decomposed time series; and
  
  analyze the energy plot to determine a sign of a network anomaly event.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The medium of claim 21, wherein:
    - code operable to decompose the time series of the collected data comprises code operable to decompose the time series of the collected data in the wavelet domain; and
      
      code operable to construct an energy plot based on the decomposed time series comprises code operable to construct an energy plot based on the time series decomposed in the wavelet domain.
  - 23. The medium of claim 22, wherein code operable to analyze the energy plot to determine a sign of a network anomaly event comprises code operable to analyze the energy plot to determine a deviation from linear behavior.
  - 24. The medium of claim 23, wherein the deviation from linear behavior comprises an abnormal decrease in the energy value relative to the linear behavior.
  - 25. The medium of claim 21, wherein the code is further operable to generate an alarm if a sign of a network anomaly event is detected.
  - 26. The medium of claim 22, wherein the code is further operable to:
    - repeat the collecting MIB data, constructing a time series, decomposing the time series in the wavelet domain, constructing an energy plot and analyzing the energy plot a selected number of times; and
      
      generate an alarm indicating a network anomaly event if a sign of a network anomaly event is detected a selected threshold of the selected number of times.
  - 27. The medium of claim 26, wherein the code is further operable to generate a notification of healthy traffic if a sign of a network anomaly event is not detected the selected threshold of the selected number of times.
  - 28. The medium of claim 22, wherein code operable to decompose the time series of the collected data in a wavelet domain comprises code operable to decompose the time series of the collected data using the Harr wavelet function.
  - 29. The medium of claim 21, wherein the network anomaly event comprises at least one of duplication of IP address space, packet filtering misconfiguration, permanent routing loop and distributed denial of service attack.
  - 30. The medium of claim 21, wherein code operable to collect MIB data from the network comprises code operable to collect packet count statistics.

31. A method for detecting a misconfiguration in a network, comprising:
- collecting management information base (MIB) data from the network at an interval, the data comprising packet count statistics;
  
  constructing a time series of the collected data;
  
  decomposing the time series of the collected data in the wavelet domain using the Harr wavelet function;
  
  constructing an energy plot based on the time series decomposed in the wavelet domain;
  
  analyzing the energy plot to determine a sign of a misconfiguration event, wherein a sign of a misconfiguration event comprises a deviation from linear behavior in the energy plot;
  
  repeating the collecting MIB data, constructing a time series, decomposing the time series in the wavelet domain, constructing an energy plot and analyzing the energy plot a selected number of times;
  
  generating an alarm indicating a misconfiguration event if a sign of a misconfiguration event is detected a selected threshold of the selected number of times; and
  
  wherein the misconfiguration event comprises at least one of duplication of IP address space, packet filtering misconfiguration, permanent routing loop and distributed denial of service attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fujitsu Limited
Original Assignee
Fujitsu Limited
Inventors
Hamada, Takeo, Magnaghi, Antonio

Application Number

US10/926,108
Publication Number

US 20060047807A1
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 41/064   involving time analysis

H04L 41/065   involving logical or physic...

H04L 41/0677   Localisation of faults

H04L 63/1458   Denial of Service

Method and system for detecting a network anomaly in a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

81 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for detecting a network anomaly in a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links