Methods, Devices and Computer Program Products for Actionable Alerting of Malevolent Network Addresses Based on Generalized Traffic Anomaly Analysis of IP Address Aggregates
First Claim
1. A method for providing alerts in a network, the method comprising:
- collecting network traffic data corresponding to a plurality of subsets of network addresses during a predefined time interval;
generating an event alert corresponding to anomalous network activity based on the network traffic and using at least one of a plurality of anomaly detection metrics;
identifying a suspect subset of the plurality of subsets of network addresses that corresponds to anomalous network activity using an odds ratio test on results from the at least one of the plurality of anomaly detection metrics; and
identifying a source network address within the suspect subset of network addresses that corresponds to the anomalous network activity.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods for providing alerts in a network are disclosed. Some methods include collecting network traffic data corresponding to multiple subsets of network addresses during a predefined time interval. A suspect subset of the subsets of network addresses that corresponds to anomalous network activity may be identified based on the network traffic data and using at least one of multiple anomaly detection metrics. A source network address within the suspect subset of network addresses that corresponds to the anomalous network activity is identified. An alert corresponding to the source network address may be generated.
-
Citations
20 Claims
-
1. A method for providing alerts in a network, the method comprising:
-
collecting network traffic data corresponding to a plurality of subsets of network addresses during a predefined time interval; generating an event alert corresponding to anomalous network activity based on the network traffic and using at least one of a plurality of anomaly detection metrics; identifying a suspect subset of the plurality of subsets of network addresses that corresponds to anomalous network activity using an odds ratio test on results from the at least one of the plurality of anomaly detection metrics; and identifying a source network address within the suspect subset of network addresses that corresponds to the anomalous network activity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A computer program product comprising:
-
a computer readable storage medium having computer readable program code embodied therein, the computer readable program code comprising; computer readable program code configured to collect network traffic data corresponding to a plurality of subsets of network addresses during a predefined time interval; computer readable program code configured to generate an anomalous event alert for the plurality of subsets of network addresses that corresponds to anomalous network activity based on the network traffic data and using at least one of a plurality of anomaly detection metrics; computer readable program code configured to identify a suspect subset of the plurality of subsets of network addresses that corresponds to anomalous network activity using an odds ratio test on results from the at least one of the plurality of anomaly detection metrics; and computer readable program code configured to identify a source network address within the suspect subset of network addresses that corresponds to the anomalous network activity. - View Dependent Claims (19, 20)
-
Specification