METHOD OF DETECTING ANOMALIES IN A COMMUNICATION SYSTEM USING NUMERICAL PACKET FEATURES

US 20100284283A1
Filed: 12/31/2007
Published: 11/11/2010
Est. Priority Date: 12/31/2007
Status: Active Grant

First Claim

Patent Images

1-25. -25. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of detecting anomalies in a communication system, includes: providing a first packet flow portion and a second packet flow portion; extracting samples of a numerical feature associated with a traffic status of the first and second packet flow portions; computing from said extracted samples a first statistical dispersion quantity and a second statistical dispersion quantity of the numerical feature associated with the first and second packet flow portions, respectively; computing from the dispersion quantities a variation quantity representing a dispersion change from the first packet flow portion to the second packet flow portion; comparing the variation quantity with a comparison value; and detecting an anomaly in the system in response to said comparison.

68 Citations

View as Search Results

50 Claims

1-25. -25. (canceled)

26. A method of detecting anomalies in a communication system, comprising:
- providing a first packet flow portion and a second packet flow portion;
  
  extracting samples of a numerical feature associated with a traffic status of the first and second packet flow portions;
  
  computing from said extracted samples a first statistical dispersion quantity and a second statistical dispersion quantity of the numerical feature associated with the first and second packet flow portions, respectively;
  
  computing from said dispersion quantities a variation quantity representing a dispersion change from the first packet flow portion to the second packet flow portion;
  
  comparing the variation quantity with a comparison value; and
  
  detecting an anomaly in the system in response to said comparison.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 50)
- - 27. The detection method of claim 26, wherein said first statistical dispersion quantity is a first variance of the numerical feature associated with the first packet flow portion and said second statistical dispersion quantity is a second variance of the numerical feature associated with the second packet flow portion.
  - 28. The detection method of claim 26, wherein said variation quantity is related to a difference between the first statistical dispersion quantity and the second statistical dispersion quantity.
  - 29. The detection method of claim 28, wherein said variation quantity is a squared difference of the first statistical dispersion quantity and the second statistical dispersion quantity.
  - 30. The detection method of claim 26, wherein extracting samples of a numerical feature comprises selecting the numerical feature from a plurality of features comprising:
    - packet size in bytes;
      
      total number of packets in a time interval of length;
      
      total number of layer 3 bytes in a time interval of length;
      
      average packet size in a time interval of length, expressed in bytes;
      
      packet rate in a time interval of length; and
      
      byte rate in a time interval of length.
  - 31. The detection method of claim 27, wherein computing each of said first variance and second variance comprises:
    - computing a summation of the samples associated with one of said first and second packet flow portions;
      
      computing a mean value of the samples associated with one of said first and second packet flow portions;
      
      computing a summation of the squared distances from the mean value of the samples associated with one of said first and second packet flow portions; and
      
      computing each of said first and second variances from the corresponding summation of the squared distances from the mean value.
  - 32. The detection method of claim 26, wherein providing said first and second packet flow portions comprises:
    - defining a first time window comprising the first packet flow portion and an associated first sample segment of the numerical feature; and
      
      defining a second time window comprising the second flow portion and an associated second sample segment of the numerical feature,wherein said first statistical dispersion quantity and said second statistical dispersion quantity are computed from the first and second sample segments, respectively.
  - 33. The detection method of claim 32, wherein the first and second windows have a same time length.
  - 34. The detection method of claim 32, wherein the second window is shifted in time with respect to the first window by a delay.
  - 35. The detection method of claim 34, further comprising after a time interval equal to said delay:
    - defining further first and second windows by sliding the first and second windows by said delay; and
      
      repeating the method to detect an anomaly applying the method to further first and second packet flow portions corresponding to said further first and second windows, respectively.
  - 36. The detection method of claim 32, wherein the first sample segment comprises an initial part of the second sample segment, the second sample segment comprising an end part which is separate from the first segment.
  - 37. The detection method of claim 36, further comprising, after a time interval equal to a delay:
    - defining further first and second sample segments by sliding the first and second sample segments by said delay; and
      
      repeating the method to detect an anomaly applying the method to further first and second sample segments.
  - 38. The detection method of claim 32, wherein the second time window comprises a fixed initial time point coincident to a fixed initial time point of the first time window and an end time point obtained by extending the first time window by an advancing time value.
  - 39. The detection method of claim 26, further comprising:
    - extracting further samples of a further numerical feature associated with a traffic status of the first and second packet flow portions;
      
      computing from said further samples additional statistical dispersion quantities of said further numerical feature associated with the first and second packet flow portions; and
      
      computing a further variation quantity representing another dispersion change from the first packet flow portion to the second packet flow portion.
  - 40. The detection method of claim 39, wherein computing from said dispersion quantities a variation quantity, representing a dispersion change from the first packet flow portion to the second packet flow portion, comprises:
    - computing a first variation quantity from said dispersion quantities; and
      
      combining the first variation quantity and the further variation quantity to obtain said variation quantity.
  - 41. The detection method of claim 39, wherein comparing the variation quantity with a comparison value further comprises:
    - comparing the further variation quantity with a further comparison value; and
      
      detecting an anomaly in the system in response to said comparison of the further variation quantity with the further comparison value.
  - 42. The detection method of claim 26, wherein said further statistical dispersion quantity is a first minimum mean squared deviation from any affine approximation of numerical feature values associated with the first packet flow portion and said second statistical dispersion quantity is a second minimum mean squared deviation from any affine approximation of numerical feature values associated with the second packet flow portion.
  - 43. The detection method of claim 32, wherein computing the second statistical dispersion quantity comprises:
    - updating the computed first statistical dispersion quantity taking into account samples of the second segment not included in the first segment.
  - 44. The detection method of claim 26, further comprising:
    - selecting the comparison value from;
      
      a fixed value, a variable value, an adaptive value, and a value depending on historical traffic data.
  - 45. The detection method of claim 26, wherein the detected anomaly is due to at least one of the following causes:
    - a failure of a communication system element and an attack.
  - 46. The detection method of claim 26, further comprising:
    - aggregating samples of the numerical feature values of different network flows according to selected packet parameters; and
      
      applying the method to said aggregated samples.
  - 50. A computer program product comprising program codes capable of performing the detection method of detecting anomalies in a communication system according to claim 26.

47. An apparatus capable of detecting anomalies in a packet switched communication system, comprising:
- a collection module capable of storing samples of a numerical packet feature associated with traffic status of a first packet flow portion and a second packet flow portion;
  
  a computing module capable of being arranged so as to;
  
  compute from said samples a first statistical dispersion quantity and a second statistical dispersion quantity of the numerical feature associated with the first and second packet flow portions, respectively; and
  
  compute from said dispersion quantities a variation quantity representing a dispersion change from the first packet flow portion to the second packet flow portion; and
  
  a detection module arranged so as to;
  
  compare the variation quantity with a comparison value; and
  
  detect an anomaly in the system in response to said comparison.
- View Dependent Claims (48, 49)
- - 48. The apparatus of claim 47, further comprising a flow aggregation module for grouping numerical packet feature values of different network flows according to selected packet parameters.
  - 49. A packet switched communication system comprising:
    - an extractor module capable of extracting samples of a numerical feature associated with a traffic status of a first packet flow portion and a second packet flow portion; and
      
      an apparatus capable of detecting anomalies connected to said extractor module and arranged in accordance with the apparatus capable of detecting anomalies in a packet switched communication system of claim 47.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telecom Italia S.p.A.
Original Assignee
Telecom Italia S.p.A.
Inventors
Golic, Jovan, D'Alessandro, Rosalia

Granted Patent

US 8,503,302 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/242
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

METHOD OF DETECTING ANOMALIES IN A COMMUNICATION SYSTEM USING NUMERICAL PACKET FEATURES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD OF DETECTING ANOMALIES IN A COMMUNICATION SYSTEM USING NUMERICAL PACKET FEATURES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links