Impact Scoring and Reducing False Positives

US 20100027432A1
Filed: 11/06/2008
Published: 02/04/2010
Est. Priority Date: 07/31/2008
Status: Active Grant

First Claim

Patent Images

1. A computer program product residing on a computer readable medium for anomaly detection, the computer program product comprising instructions for causing a processor to:

detect a spike or dip in at least one network traffic characteristic;

determine a change in overall observed network traffic for the at least one network traffic characteristic at the time of the detected spike or dip in the at least one network traffic characteristic by;

comparing the network traffic for the at least one network traffic characteristic at a time period of a predetermined length of time prior to the time of the detected spike or dip in the at least one network traffic characteristic to the overall observed network traffic for the at least one network traffic characteristic at the time of the detected spike or dip in the at least one network traffic characteristic;

determine changes in the observed network traffic for the at least one network traffic characteristic for a plurality of individual network entities at the time of the detected spike or dip in the at least one network traffic characteristic by;

comparing the network traffic for the at least one network traffic characteristic for each of the individual network entities at the time period of the predetermined length of time prior to the time of the detected spike or dip in network traffic for the at least one network traffic characteristic to the network traffic for the at least one network traffic characteristic for each of the individual network entities at the time of the detected spike or dip in the at least one network traffic characteristic; and

produce impact scores for the plurality of individual network entities by calculating a ratio of the change in the network traffic for the network entity to the change in the overall observed network traffic for the at least one network traffic characteristic.

View all claims

22 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to an aspect of the invention, a system and method is onfigured to generate impact scores based on observed network traffic.

Citations

29 Claims

1. A computer program product residing on a computer readable medium for anomaly detection, the computer program product comprising instructions for causing a processor to:
- detect a spike or dip in at least one network traffic characteristic;
  
  determine a change in overall observed network traffic for the at least one network traffic characteristic at the time of the detected spike or dip in the at least one network traffic characteristic by;
  
  comparing the network traffic for the at least one network traffic characteristic at a time period of a predetermined length of time prior to the time of the detected spike or dip in the at least one network traffic characteristic to the overall observed network traffic for the at least one network traffic characteristic at the time of the detected spike or dip in the at least one network traffic characteristic;
  
  determine changes in the observed network traffic for the at least one network traffic characteristic for a plurality of individual network entities at the time of the detected spike or dip in the at least one network traffic characteristic by;
  
  comparing the network traffic for the at least one network traffic characteristic for each of the individual network entities at the time period of the predetermined length of time prior to the time of the detected spike or dip in network traffic for the at least one network traffic characteristic to the network traffic for the at least one network traffic characteristic for each of the individual network entities at the time of the detected spike or dip in the at least one network traffic characteristic; and
  
  produce impact scores for the plurality of individual network entities by calculating a ratio of the change in the network traffic for the network entity to the change in the overall observed network traffic for the at least one network traffic characteristic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer program product of claim 1, wherein the computer program product further comprises instructions for causing the processor to:
    - rank the plurality of individual network entities based on the determined impact scores for each of the plurality of individual network entities.
  - 3. The computer program product of claim 1, wherein the impact score for a particular network entity is correlated to the contribution of the particular network entity to the detected spike or dip in the at least one network traffic characteristic.
  - 4. The computer program product of claim 1, wherein the computer program product further comprises instructions for causing the processor to:
    - display the impact scores for at least some of the plurality of individual network entities.
  - 5. The computer program product of claim 1, wherein the instructions for causing the processor to determine impact scores further comprise instructions for causing the processor to scale the calculated ratios using one of a 1-10 scale or a 1-100 scale.
  - 6. The computer program product of claim 1, wherein the time period the predetermined length of time prior to the time of the detected spike or dip in the at least one network traffic characteristic comprises a time period one day prior to the detected spike or dip in the at least one network traffic characteristic.
  - 7. The computer program product of claim 1, wherein the time period the predetermined length of time prior to the time of the detected spike or dip in the at least one network traffic characteristic comprises a time period one week prior to the detected spike or dip in the at least one network traffic characteristic.
  - 8. The computer program product of claim 1, wherein the time period the predetermined length of time prior to the time of the detected spike or dip in the at least one network traffic characteristic comprises a time period one month prior to the detected spike or dip in the at least one network traffic characteristic.

9. An anomaly detection system, comprising:
- a computing device configured to;
  
  detect a spike or dip in at least one network traffic characteristic;
  
  determine a change in overall observed network traffic for the at least one network traffic characteristic at the time of the detected spike or dip in the at least one network traffic characteristic by;
  
  comparing the network traffic for the at least one network traffic characteristic at a time period of a predetermined length of time prior to the time of the detected spike or dip in the at least one network traffic characteristic to the overall observed network traffic for the at least one network traffic characteristic at the time of the detected spike or dip in the at least one network traffic characteristic;
  
  determine changes in the observed network traffic for the at least one network traffic characteristic for a plurality of individual network entities at the time of the detected spike or dip in the at least one network traffic characteristic by;
  
  comparing the network traffic for the at least one network traffic characteristic for each of the individual network entities at the time period of the predetermined length of time prior to the time of the detected spike or dip in network traffic for the at least one network traffic characteristic to the network traffic for the at least one network traffic characteristic for each of the individual network entities at the time of the detected spike or dip in the at least one network traffic characteristic; and
  
  produce impact scores for the plurality of individual network entities by calculating a ratio of the change in the network traffic for the network entity to the change in the overall observed network traffic for the at least one network traffic characteristic.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The anomaly detection system of claim 9, wherein the computing device is further configured to rank the plurality of individual network entities based on the determined impact scores for each of the plurality of individual network entities.
  - 11. The anomaly detection system of claim 9, wherein the impact score for a particular network entity is correlated to the contribution of the particular network entity to the detected spike or dip in the at least one network traffic characteristic.
  - 12. The anomaly detection system of claim 9, wherein the computing device is further configured to display the impact scores for at least some of the plurality of individual network entities.
  - 13. The anomaly detection system of claim 9, wherein the time period the predetermined length of time prior to the time of the detected spike or dip in the at least one network traffic characteristic comprises a time period one day prior to the detected spike or dip in the at least one network traffic characteristic.
  - 14. The anomaly detection system of claim 9, wherein the time period the predetermined length of time prior to the time of the detected spike or dip in the at least one network traffic characteristic comprises a time period one week prior to the detected spike or dip in the at least one network traffic characteristic.

15. A method comprising:
- detecting a spike or dip in at least one network traffic characteristic;
  
  determining a change in overall observed network traffic for the at least one network traffic characteristic at the time of the detected spike or dip in the at least one network traffic characteristic by;
  
  comparing the network traffic for the at least one network traffic characteristic at a time period of a predetermined length of time prior to the time of the detected spike or dip in the at least one network traffic characteristic to the overall observed network traffic for the at least one network traffic characteristic at the time of the detected spike or dip in the at least one network traffic characteristic;
  
  determining changes in the observed network traffic for the at least one network traffic characteristic for a plurality of individual network entities at the time of the detected spike or dip in the at least one network traffic characteristic by;
  
  comparing the network traffic for the at least one network traffic characteristic for each of the individual network entities at the time period of the predetermined length of time prior to the time of the detected spike or dip in network traffic for the at least one network traffic characteristic to the network traffic for the at least one network traffic characteristic for each of the individual network entities at the time of the detected spike or dip in the at least one network traffic characteristic; and
  
  producing impact scores for the plurality of individual network entities by calculating a ratio of the change in the network traffic for the network entity to the change in the overall observed network traffic for the at least one network traffic characteristic.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, further comprising ranking the plurality of individual network entities based on the determined impact scores for each of the plurality of individual network entities.
  - 17. The method of claim 15, wherein the impact score for a particular network entity is correlated to the contribution of the particular network entity to the detected spike or dip in the at least one network traffic characteristic.
  - 18. The method of claim 15, further comprising displaying the impact scores for at least some of the plurality of individual network entities.
  - 19. The method of claim 15, wherein the time period the predetermined length of time prior to the time of the detected spike or dip in the at least one network traffic characteristic comprises a time period one day prior to the detected spike or dip in the at least one network traffic characteristic.
  - 20. The method of claim 15, wherein the time period the predetermined length of time prior to the time of the detected spike or dip in the at least one network traffic characteristic comprises a time period one week prior to the detected spike or dip in the at least one network traffic characteristic.

21. A computer program product residing on a computer readable medium for intrusion detection, the computer program product comprising instructions for causing a processor to:
- generate a forecast of network traffic;
  
  calculate interval that extends above and below the forecast of the network traffic, the prediction interval being based on previously observed deviations from predicted network traffic;
  
  generate a prediction interval by determining the interval having the larger width between the calculated interval and a minimum discernable change threshold, the minimum discernable change threshold providing a lower limit on a width of the prediction interval;
  
  compare observed network traffic to the prediction interval; and
  
  identify an outlier if the observed network traffic is outside of the prediction interval.
- View Dependent Claims (22, 23)
- - 22. The computer program product of claim 21, wherein the instructions to generate a prediction interval by determining the interval having the larger width between the calculated interval and a minimum discernable change threshold comprise instructions to separately determine a first width of the prediction interval above the forecast of the network traffic and a second width of the prediction interval below the forecast of the network traffic.
  - 23. The computer program product of claim 21, wherein the minimum discernable change threshold comprises a first threshold providing a lower limit on a width of the prediction interval above the forecast of the network traffic and a second threshold providing a lower limit on a width of the prediction interval below the forecast of the network traffic.

24. A computer program product residing on a computer readable medium for intrusion detection, the computer program product comprising instructions for causing a processor to:
- generate a forecast of network traffic;
  
  generate an asymmetric prediction interval that extends above and below the forecast of the network traffic, the prediction interval being based on;
  
  previously observed deviations from predicted network traffic, a first value associated with the number of standard deviations above the forecasted value;
  
  a second value associated with the number of standard deviations below the forecasted value;
  
  wherein the first and second value differ;
  
  compare observed network traffic to the prediction interval; and
  
  identify an outlier if the observed network traffic is outside of the prediction interval.
- View Dependent Claims (25)
- - 25. The computer program product of claim 24, wherein the instructions to generate a forecast of network traffic comprise instruction to generate a forecast of network traffic using a model that includes at least a first and a second seasonality, the forecast being based on previously observed network traffic at first and second time periods associated with the first and a second seasonality.

26. A computer program product residing on a computer readable medium for intrusion detection, the computer program product comprising instructions for causing a processor to:
- compare observed network traffic to a prediction interval, the prediction interval extending above and below a forecast of network traffic and being based on previously observed network traffic; and
  
  identify an outlier if the observed network traffic is outside of the prediction interval;
  
  calculate an extent of the deviation of the outlier from the upper or lower limit of the prediction interval based on the observed network traffic and the value of the prediction interval;
  
  calculate a severity of the outlier based on the calculated extent of the deviation.
- View Dependent Claims (27, 28, 29)
- - 27. The computer program product of claim 26, wherein the severity comprises a scaled severity value using a fixed scale of severity values.
  - 28. The computer program product of claim 27, wherein the fixed scale of severity values comprises a 1-100 scale.
  - 29. The computer program product of claim 26, wherein the instructions to calculate a severity of the outlier based on the calculated extent of the deviation a predefined maximum deviation comprise instructions to calculate the severity based on a comparison of the extent of the deviation to a predefined maximum deviation that is correlated to a maximum severity score.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Mazu Networks, Inc. (Riverbed Technology Incorporated)
Inventors
White, Christopher James, Ratin, Andrew, Elverson, Bryan Thomas, Gopalan, Prem K.

Granted Patent

US 8,472,328 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/252
CPC Class Codes

H04L 41/142   using statistical or mathem...

H04L 41/147   for predicting network beha...

H04L 43/022   by sampling

H04L 43/045   for graphical visualisation...

H04L 43/067   using time frame reporting

H04L 43/0876   Network utilisation, e.g. v...

H04L 47/127   by using congestion prediction

Impact Scoring and Reducing False Positives

First Claim

22 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Impact Scoring and Reducing False Positives

First Claim

22 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links