Event detection/anomaly correlation heuristics

US 20060173992A1
Filed: 11/03/2003
Published: 08/03/2006
Est. Priority Date: 11/04/2002
Status: Active Grant

First Claim

Patent Images

1. A method for detecting conditions in a network, comprising:

finding anomalies, which are low-level differences in network operation relative to some comparison period; and

collecting anomalies into operationally relevant events.

View all claims

22 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.

Citations

21 Claims

1. A method for detecting conditions in a network, comprising:
- finding anomalies, which are low-level differences in network operation relative to some comparison period; and
  
  collecting anomalies into operationally relevant events.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising:
    - sending event reports to an operator.
  - 3. The method of claim 1 wherein collecting anomalies into events comprises:
    - traversing a connection table to identify and correlate anomalies by determining connection patterns that correlate with a particular event class.
  - 4. The method of claim 1 further comprising determining event severity.
  - 5. The method of claim 4 wherein the event severity is characterized by at least one of the type, number, and severity of anomalies that led to the identification of the event.
  - 6. The method of claim 1 wherein collecting anomalies, comprises:
    - tracking a moving average that allows collecting anomalies to adapt to slowly changing network conditions.
  - 7. The method of claim 1 wherein collecting anomalies into events comprises tracking a variance of a parameter to allow collecting to account for burstiness in network traffic.

8. A computer readable medium tangible storing a computer program product for detecting intrusions in a network, comprises instructions for causing a processor to:
- find anomalies, which are low-level differences in network operation relative to some comparison period; and
  
  collect anomalies into operationally relevant events.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The product of claim 8 further comprising instructions to:
    - send event reports to an operator.
  - 10. The product of claim 8 wherein collecting anomalies into events comprises instructions to:
    - traverse a connection table to identify and correlate anomalies by determining connection patterns that correlate with a particular event class.
  - 11. The product of claim 8 further comprising instructions to:
    - determine event severity.
  - 12. The product of claim 11 wherein event severity is characterized by at least one of the type, number, and severity of anomalies that led to the identification of the event.
  - 13. The product of claim 8 wherein instructions to collect anomalies, further comprises instructions to:
    - track a moving average that allows collecting anomalies to adapt to slowly changing network conditions.
  - 14. The product of claim 8 wherein instructions to collect anomalies into events comprises instructions to:
    - track a variance of a parameter to account for burstiness in network traffic.

15. A device for detecting conditions in a network, comprising:
- circuitry to find anomalies, which are low-level differences in network operation relative to some comparison period; and
  
  circuitry to collect anomalies into operationally relevant events.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The device of claim 15 further comprising:
    - circuitry to send event reports to an operator.
  - 17. The device of claim 15 wherein circuitry to collect anomalies into events comprises:
    - circuitry to traverse a connection table to identify and correlate anomalies by determining connection patterns that correlate with a particular event class.
  - 18. The device of claim 15 further comprising circuitry to determine event severity.
  - 19. The device of claim 18 wherein the circuitry characterizes the event severity by at least one of type, number, and severity of anomalies that led to the identification of the event.
  - 20. The device of claim 15 wherein circuitry to collect anomalies, comprises:
    - circuitry to track a moving average that allows collecting anomalies to adapt to slowly changing network conditions.
  - 21. The device of claim 15 wherein circuitry to collect anomalies into events comprises:
    - circuitry to track a variance of a parameter to account for burstiness in network traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Mazu Networks, Inc. (Riverbed Technology Incorporated)
Inventors
Gopalan, Prem, Poletto, Massimiliano Antonio, Weber, Daniel

Granted Patent

US 7,363,656 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

Event detection/anomaly correlation heuristics

First Claim

22 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Event detection/anomaly correlation heuristics

First Claim

22 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links