Impact Scoring and Reducing False Positives
First Claim
Patent Images
1. A computer program product residing on a computer readable medium for anomaly detection, the computer program product comprising instructions for causing a processor to:
- detect a spike or dip in at least one network traffic characteristic;
determine a change in overall observed network traffic for the at least one network traffic characteristic at the time of the detected spike or dip in the at least one network traffic characteristic by;
comparing the network traffic for the at least one network traffic characteristic at a time period of a predetermined length of time prior to the time of the detected spike or dip in the at least one network traffic characteristic to the overall observed network traffic for the at least one network traffic characteristic at the time of the detected spike or dip in the at least one network traffic characteristic;
determine changes in the observed network traffic for the at least one network traffic characteristic for a plurality of individual network entities at the time of the detected spike or dip in the at least one network traffic characteristic by;
comparing the network traffic for the at least one network traffic characteristic for each of the individual network entities at the time period of the predetermined length of time prior to the time of the detected spike or dip in network traffic for the at least one network traffic characteristic to the network traffic for the at least one network traffic characteristic for each of the individual network entities at the time of the detected spike or dip in the at least one network traffic characteristic; and
produce impact scores for the plurality of individual network entities by calculating a ratio of the change in the network traffic for the network entity to the change in the overall observed network traffic for the at least one network traffic characteristic.
22 Assignments
0 Petitions
Accused Products
Abstract
According to an aspect of the invention, a system and method is onfigured to generate impact scores based on observed network traffic.
-
Citations
29 Claims
-
1. A computer program product residing on a computer readable medium for anomaly detection, the computer program product comprising instructions for causing a processor to:
-
detect a spike or dip in at least one network traffic characteristic; determine a change in overall observed network traffic for the at least one network traffic characteristic at the time of the detected spike or dip in the at least one network traffic characteristic by; comparing the network traffic for the at least one network traffic characteristic at a time period of a predetermined length of time prior to the time of the detected spike or dip in the at least one network traffic characteristic to the overall observed network traffic for the at least one network traffic characteristic at the time of the detected spike or dip in the at least one network traffic characteristic; determine changes in the observed network traffic for the at least one network traffic characteristic for a plurality of individual network entities at the time of the detected spike or dip in the at least one network traffic characteristic by; comparing the network traffic for the at least one network traffic characteristic for each of the individual network entities at the time period of the predetermined length of time prior to the time of the detected spike or dip in network traffic for the at least one network traffic characteristic to the network traffic for the at least one network traffic characteristic for each of the individual network entities at the time of the detected spike or dip in the at least one network traffic characteristic; and produce impact scores for the plurality of individual network entities by calculating a ratio of the change in the network traffic for the network entity to the change in the overall observed network traffic for the at least one network traffic characteristic. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An anomaly detection system, comprising:
-
a computing device configured to; detect a spike or dip in at least one network traffic characteristic; determine a change in overall observed network traffic for the at least one network traffic characteristic at the time of the detected spike or dip in the at least one network traffic characteristic by; comparing the network traffic for the at least one network traffic characteristic at a time period of a predetermined length of time prior to the time of the detected spike or dip in the at least one network traffic characteristic to the overall observed network traffic for the at least one network traffic characteristic at the time of the detected spike or dip in the at least one network traffic characteristic; determine changes in the observed network traffic for the at least one network traffic characteristic for a plurality of individual network entities at the time of the detected spike or dip in the at least one network traffic characteristic by; comparing the network traffic for the at least one network traffic characteristic for each of the individual network entities at the time period of the predetermined length of time prior to the time of the detected spike or dip in network traffic for the at least one network traffic characteristic to the network traffic for the at least one network traffic characteristic for each of the individual network entities at the time of the detected spike or dip in the at least one network traffic characteristic; and produce impact scores for the plurality of individual network entities by calculating a ratio of the change in the network traffic for the network entity to the change in the overall observed network traffic for the at least one network traffic characteristic. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A method comprising:
-
detecting a spike or dip in at least one network traffic characteristic; determining a change in overall observed network traffic for the at least one network traffic characteristic at the time of the detected spike or dip in the at least one network traffic characteristic by; comparing the network traffic for the at least one network traffic characteristic at a time period of a predetermined length of time prior to the time of the detected spike or dip in the at least one network traffic characteristic to the overall observed network traffic for the at least one network traffic characteristic at the time of the detected spike or dip in the at least one network traffic characteristic; determining changes in the observed network traffic for the at least one network traffic characteristic for a plurality of individual network entities at the time of the detected spike or dip in the at least one network traffic characteristic by; comparing the network traffic for the at least one network traffic characteristic for each of the individual network entities at the time period of the predetermined length of time prior to the time of the detected spike or dip in network traffic for the at least one network traffic characteristic to the network traffic for the at least one network traffic characteristic for each of the individual network entities at the time of the detected spike or dip in the at least one network traffic characteristic; and producing impact scores for the plurality of individual network entities by calculating a ratio of the change in the network traffic for the network entity to the change in the overall observed network traffic for the at least one network traffic characteristic. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A computer program product residing on a computer readable medium for intrusion detection, the computer program product comprising instructions for causing a processor to:
-
generate a forecast of network traffic; calculate interval that extends above and below the forecast of the network traffic, the prediction interval being based on previously observed deviations from predicted network traffic; generate a prediction interval by determining the interval having the larger width between the calculated interval and a minimum discernable change threshold, the minimum discernable change threshold providing a lower limit on a width of the prediction interval; compare observed network traffic to the prediction interval; and identify an outlier if the observed network traffic is outside of the prediction interval. - View Dependent Claims (22, 23)
-
-
24. A computer program product residing on a computer readable medium for intrusion detection, the computer program product comprising instructions for causing a processor to:
-
generate a forecast of network traffic; generate an asymmetric prediction interval that extends above and below the forecast of the network traffic, the prediction interval being based on; previously observed deviations from predicted network traffic, a first value associated with the number of standard deviations above the forecasted value; a second value associated with the number of standard deviations below the forecasted value;
wherein the first and second value differ;compare observed network traffic to the prediction interval; and identify an outlier if the observed network traffic is outside of the prediction interval. - View Dependent Claims (25)
-
-
26. A computer program product residing on a computer readable medium for intrusion detection, the computer program product comprising instructions for causing a processor to:
-
compare observed network traffic to a prediction interval, the prediction interval extending above and below a forecast of network traffic and being based on previously observed network traffic; and identify an outlier if the observed network traffic is outside of the prediction interval; calculate an extent of the deviation of the outlier from the upper or lower limit of the prediction interval based on the observed network traffic and the value of the prediction interval; calculate a severity of the outlier based on the calculated extent of the deviation. - View Dependent Claims (27, 28, 29)
-
Specification