STATISTICAL METHOD AND SYSTEM FOR NETWORK ANOMALY DETECTION
First Claim
1. A method for determining an Internet protocol (IP) network status comprising the steps of:
- monitoring an IP communications network, said IP communications network comprising a plurality of associated computer systems, said monitoring step further comprising the steps of;
evaluating logged data communicated on said IP communications network as said logged data is logged; and
detecting at least one data communications event from said logged data to be a potentially anomalous event by nominating said at least one data communications event and performing a time series generation associated with the communication of said at least one data communications event on said IP communications network;
discovering said potentially anomalous data event to be an anomalous event by forming a percentiled data set from said logged data and comparing said at least one data communications event to a threshold level associated with said percentiled data set; and
generating an alert signal in association with said monitoring step if said anomalous event differs from said percentiled data set by a level at least equal to said threshold level.
3 Assignments
0 Petitions
Accused Products
Abstract
An anomaly detection method and system determine network status by monitoring network activity. A statistics based profile for said network over a period is generated to analyze potentially anomalous network activity to determine if said network activity is anomalous by comparing current activity against the profile. Using the profile as a reference, the anomaly detection system and process estimate and prioritize potentially anomalous network activity based on the probability that the behavior is anomalous. The level of severity that the anomaly detection process uses to determine if an alarm is needed is based on comparing user-adjustable thresholds to the current probability. If the threshold has been breached, the user is alerted, subject to other quality checks. After a reporting cycle concludes, the anomaly detection system and process recompiles the statistics based profile to take into account the information observed in the previous reporting cycle.
-
Citations
20 Claims
-
1. A method for determining an Internet protocol (IP) network status comprising the steps of:
-
monitoring an IP communications network, said IP communications network comprising a plurality of associated computer systems, said monitoring step further comprising the steps of; evaluating logged data communicated on said IP communications network as said logged data is logged; and detecting at least one data communications event from said logged data to be a potentially anomalous event by nominating said at least one data communications event and performing a time series generation associated with the communication of said at least one data communications event on said IP communications network; discovering said potentially anomalous data event to be an anomalous event by forming a percentiled data set from said logged data and comparing said at least one data communications event to a threshold level associated with said percentiled data set; and generating an alert signal in association with said monitoring step if said anomalous event differs from said percentiled data set by a level at least equal to said threshold level. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for determining an Internet protocol (IP) network status, comprising:
-
a computer system comprising a computer-readable medium, said computer-readable medium further comprising; a set of instructions and associated circuitry for monitoring an IP communications network, said IP communications network comprising a plurality of associated computer systems, said monitoring instructions further comprising; a set of instructions and associated circuitry for evaluating logged data communicated on said IP communications network as said logged data is logged; and a set of instructions and associated circuitry for detecting at least one data communications event from said logged data to be a potentially anomalous event by nominating said at least one data communications event and performing a time series generation associated with the communication of said at least one data communications event on said IP communications network; a set of instructions and associated circuitry for discovering said potentially anomalous data event to be an anomalous event by forming a percentiled data set from said logged data and comparing said at least one data communications event to a threshold level associated with said percentiled data set; and said computer system further comprising a set of instructions and associated circuitry for generating an alert signal in association with said monitoring step if said anomalous event differs from said percentiled data set by a level at least equal to said threshold level. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer readable medium, comprising:
-
a set of instructions and associated circuitry for monitoring an IP communications network, said IP communications network comprising a plurality of associated computer systems, said monitoring instructions further comprising; a set of instructions and associated circuitry for evaluating logged data communicated on said IP communications network as said logged data is logged; a set of instructions and associated circuitry for detecting at least one data communications event from said logged data to be a potentially anomalous event by nominating said at least one data communications event and performing a time series generation associated with the communication of said at least one data communications event on said IP communications network; a set of instructions and associated circuitry for discovering said potentially anomalous data event to be an anomalous event by forming a percentiled data set from said logged data and comparing said at least one data communications event to a threshold level associated with said percentiled data set; and said computer-readable memory further comprising a set of instructions and associated circuitry for generating an alert signal in association with said monitoring step if said anomalous event differs from said percentiled data set by a level at least equal to said threshold level. - View Dependent Claims (20)
-
Specification