Method and system for detecting a network anomaly in a network
First Claim
Patent Images
1. A method for detecting a network anomaly in a network, comprising:
- collecting management information base (MIB) data from the network at an interval;
constructing a time series of the collected data;
decomposing the time series of the collected data;
constructing an energy plot based on the decomposed time series; and
analyzing the energy plot to determine a sign of a network anomaly event.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for detecting a network anomaly in a network includes collecting management information base (MIB) data from the network at an interval and constructing a time series of the collected data. The method also includes decomposing the time series of the collected data in the wavelet domain, constructing an energy plot based on the time series decomposed in the wavelet domain and analyzing the energy plot to determine a sign of a network anomaly event.
81 Citations
31 Claims
-
1. A method for detecting a network anomaly in a network, comprising:
-
collecting management information base (MIB) data from the network at an interval;
constructing a time series of the collected data;
decomposing the time series of the collected data;
constructing an energy plot based on the decomposed time series; and
analyzing the energy plot to determine a sign of a network anomaly event. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for detecting a network anomaly in a network comprising a network device comprising:
-
a memory operable to collect management information base (MIB) data from the network at an interval; and
a controller coupled to the memory, the controller operable to;
construct a time series of the collected data;
decompose the time series of the collected data;
construct an energy plot based on the decomposed time series; and
analyze the energy plot to determine a sign of a network anomaly event. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. Software embodied in a computer readable medium, the computer readable medium comprising code operable to:
-
collect management information base (MIB) data from the network at an interval;
construct a time series of the collected data;
decompose the time series of the collected data;
construct an energy plot based on the decomposed time series; and
analyze the energy plot to determine a sign of a network anomaly event. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A method for detecting a misconfiguration in a network, comprising:
-
collecting management information base (MIB) data from the network at an interval, the data comprising packet count statistics;
constructing a time series of the collected data;
decomposing the time series of the collected data in the wavelet domain using the Harr wavelet function;
constructing an energy plot based on the time series decomposed in the wavelet domain;
analyzing the energy plot to determine a sign of a misconfiguration event, wherein a sign of a misconfiguration event comprises a deviation from linear behavior in the energy plot;
repeating the collecting MIB data, constructing a time series, decomposing the time series in the wavelet domain, constructing an energy plot and analyzing the energy plot a selected number of times;
generating an alarm indicating a misconfiguration event if a sign of a misconfiguration event is detected a selected threshold of the selected number of times; and
wherein the misconfiguration event comprises at least one of duplication of IP address space, packet filtering misconfiguration, permanent routing loop and distributed denial of service attack.
-
Specification