ANOMALY DETECTION METHODS FOR A COMPUTER NETWORK

US 20070150949A1
Filed: 12/28/2005
Published: 06/28/2007
Est. Priority Date: 12/28/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for detecting anomalous data in a data stream, comprising steps of:

a) generating a baseline value corresponding to non-anomalous data in the data stream;

b) generating a first test value based on current data of the data stream;

c) adjusting the baseline value based on the first test value; and

d) triggering an anomaly alarm when the first test value varies from the baseline by at least a predetermined value.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methodologies and systems for detecting an anomaly in a flow of data or data stream are described herein. To detect an anomaly, an anomaly detection server may create a baseline based on historical or other known non-anomalous data within the data stream. The anomaly detection server then generates one or more test values based on current data in the data stream, and compares the test value(s) to the baseline to determine whether they vary by more than a predetermined amount. If the deviation exceeds the predetermined amount, an alarm is triggered. The anomaly detection server may continually adjust the baseline based on the current data in the data stream, and may renormalize the baseline periodically if desired or necessary.

106 Citations

View as Search Results

20 Claims

1. A method for detecting anomalous data in a data stream, comprising steps of:
- a) generating a baseline value corresponding to non-anomalous data in the data stream;
  
  b) generating a first test value based on current data of the data stream;
  
  c) adjusting the baseline value based on the first test value; and
  
  d) triggering an anomaly alarm when the first test value varies from the baseline by at least a predetermined value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein step a) comprises using a ramp-up value to generate the baseline value.
  - 3. The method of claim 1, wherein step a) comprises using exponential smoothing to generate the baseline value.
  - 4. The method of claim 1, wherein step c) comprises using exponential smoothing to adjust the baseline value.
  - 5. The method of claim 1, wherein step a) comprises generating the baseline value μ
    - using equations E1 through E6 illustrated in FIG. 3 and FIG. 4.
  - 6. The method of claim 1, wherein step c) comprises adjusting the baseline using equations E7, E8, and E9 illustrated in FIG. 5.
  - 7. The method of claim 1, wherein step d) comprises using equations E10 and E11 illustrated in FIG. 5, and triggering the alarm when Z_i>
    - T and D_i>
      
      T.
  - 8. The method of claim 1, wherein the non-anomalous data and the current data represent network traffic and the data stream is a network traffic data stream.
  - 9. The method of claim 8, wherein the non-anomalous data and current data represent numbers of packets sent over a network.
  - 10. The method of claim 8, wherein the non-anomalous data and current data represent amounts of bytes sent over a network.
  - 11. The method of claim 1, wherein the non-anomalous data and current data represent credit card information.

12. A computer-implemented method for detecting an anomaly in a data stream, comprising steps of:
- a) initializing a baseline value based on known non-anomalous data;
  
  b) comparing a test value to the baseline value;
  
  c) updating the baseline value based on the test value;
  
  d) triggering an alarm when the test value varies from the baseline value by at least a predetermined amount; and
  
  e) iteratively repeating steps b)-d) at predetermined intervals.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The computer-implemented method of claim 12, wherein step a) comprises using a ramp-up value to initialize the baseline value.
  - 14. The computer-implemented method of claim 12, wherein step a) comprises using exponential smoothing to initialize the baseline value.
  - 15. The computer-implemented method of claim 12, wherein step c) comprises using exponential smoothing to update the baseline value.
  - 16. The computer-implemented method of claim 12, wherein step a) comprises initializing the baseline value μ
    - using equations E1 through E6 illustrated in FIG. 3 and FIG. 4.
  - 17. The computer-implemented method of claim 12, wherein step c) comprises adjusting the baseline using equations E7, E8, and E9 illustrated in FIG. 5.
  - 18. The computer-implemented method of claim 12, wherein step d) comprises evaluating equations E10 and E11 illustrated in FIG. 5, and triggering the alarm when Z_i>
    - T and D_i>
      
      T.
  - 19. The computer-implemented method of claim 12, wherein the non-anomalous data and the current data represent network traffic and the data stream is a network traffic data stream.
  - 20. The computer-implemented method of claim 12, wherein the non-anomalous data and the current data represent credit card information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Corporation (AT&T, Inc.)
Original Assignee
AT&T Corporation (AT&T, Inc.)
Inventors
Liu, Danielle, Futamura, Kenichi

Application Number

US11/275,351
Publication Number

US 20070150949A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

ANOMALY DETECTION METHODS FOR A COMPUTER NETWORK

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

106 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ANOMALY DETECTION METHODS FOR A COMPUTER NETWORK

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

106 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links