Methods, Devices and Computer Program Products for Actionable Alerting of Malevolent Network Addresses Based on Generalized Traffic Anomaly Analysis of IP Address Aggregates

US 20120117254A1
Filed: 11/05/2010
Published: 05/10/2012
Est. Priority Date: 11/05/2010
Status: Active Grant

First Claim

Patent Images

1. A method for providing alerts in a network, the method comprising:

collecting network traffic data corresponding to a plurality of subsets of network addresses during a predefined time interval;

generating an event alert corresponding to anomalous network activity based on the network traffic and using at least one of a plurality of anomaly detection metrics;

identifying a suspect subset of the plurality of subsets of network addresses that corresponds to anomalous network activity using an odds ratio test on results from the at least one of the plurality of anomaly detection metrics; and

identifying a source network address within the suspect subset of network addresses that corresponds to the anomalous network activity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods for providing alerts in a network are disclosed. Some methods include collecting network traffic data corresponding to multiple subsets of network addresses during a predefined time interval. A suspect subset of the subsets of network addresses that corresponds to anomalous network activity may be identified based on the network traffic data and using at least one of multiple anomaly detection metrics. A source network address within the suspect subset of network addresses that corresponds to the anomalous network activity is identified. An alert corresponding to the source network address may be generated.

Citations

20 Claims

1. A method for providing alerts in a network, the method comprising:
- collecting network traffic data corresponding to a plurality of subsets of network addresses during a predefined time interval;
  
  generating an event alert corresponding to anomalous network activity based on the network traffic and using at least one of a plurality of anomaly detection metrics;
  
  identifying a suspect subset of the plurality of subsets of network addresses that corresponds to anomalous network activity using an odds ratio test on results from the at least one of the plurality of anomaly detection metrics; and
  
  identifying a source network address within the suspect subset of network addresses that corresponds to the anomalous network activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method according to claim 1, wherein the plurality of anomaly detection metrics include at least one network traffic volume data metric in the predefined time interval, a standardized entropy of a distribution of traffic share of the plurality of subsets of network addresses in the predefined time interval, and a relative entropy of a distribution of traffic share of the plurality of subsets of network addresses in the predefined time interval relative to a baseline distribution of traffic share of respective ones of the plurality of subsets of network addresses.
  - 3. The method according to claim 2,wherein generating the event alert using the at least one network traffic volume data metric comprises determining a network traffic volume data metric value from ones of the plurality of subsets of network addresses and identifying the suspect subset as having the network traffic volume data metric value that exceeds a predicted network traffic volume data metric value, andwherein the at least one network traffic volume data metric includes a metric selected from a group of metrics including dropped connections, network traffic flows, bytes of network traffic, packets of network traffic and established connections.
  - 4. The method according to claim 2, wherein generating the event alert using the standardized entropy of the distribution of traffic share comprises determining a standardized entropy of at least one of a plurality of network traffic metrics that provides a standardized entropy value corresponding to the plurality of subsets of network addresses, the standardized entropy value corresponding to a probability that the anomalous network activity is initiated by one of the plurality of subsets.
  - 5. The method according to claim 4, wherein the standardized entropy value includes a value in a range from 0 to 1 that corresponds to an increasing probability that one of the plurality of subsets of network addresses initiated the anomalous network activity as the standardized entropy values decreases.
  - 6. The method according to claim 2, wherein generating the event alert using the relative entropy of the distribution of traffic share comprises determining a relative entropy of at least one of a plurality of network traffic metrics that provides a relative entropy value corresponding to the plurality of subsets of network addresses, the relative entropy value corresponding to a probability that the anomalous network activity is initiated by one of the plurality of subsets.
  - 7. The method according to claim 6, wherein the relative entropy value includes a relative entropy of distributions of traffic share between a current probability distribution observed in a recently measured time interval and a baseline probability distribution that corresponds to a probability that one of the plurality of subsets of network addresses initiated the anomalous network activity.
  - 8. The method according to claim 7, wherein as the relative entropy value increases, a probability that one of the plurality of subsets of network addresses initiated the anomalous network activity increases.
  - 9. The method according to claim 1, wherein generating the event alert comprises:
    - determining a total network traffic volume in the predefined time interval;
      
      determining a standardized entropy of a distribution of traffic share of the plurality of subsets of network addresses in the predefined time interval; and
      
      determining a relative entropy of a distribution of traffic share of the plurality of subsets of network addresses in the predefined time interval relative to a baseline distribution of traffic share of the plurality of subsets of network addresses.
  - 10. The method according to claim 9, wherein generating the event alert further comprises comparing determined values corresponding to the total network traffic volume, the standardized entropy and the relative entropy to baseline values of the total network traffic volume, the standardized entropy and the relative entropy to determine a total volume deviation score, a standardized entropy deviation score and a relative entropy deviation score.
  - 11. The method according to claim 10, wherein generating the event alert further comprises:
    - determining a statistical significance corresponding to each of the total volume deviation score, the standardized entropy deviation score and the relative entropy deviation score for the plurality of subsets of network addresses; and
      
      generating the alert corresponding to the plurality of subsets of network addresses responsive to determining that any of the total volume deviation score, the standardized entropy deviation score or the relative entropy deviation score is statistically significant.
  - 12. The method according to claim 11, wherein identifying the suspect subset of the plurality of subsets of network addresses that corresponds to anomalous network activity comprises analyzing the plurality of subsets of network addresses using an odds ratio test to determine the suspect subset of network addresses having a current network traffic share that is greater than a baseline network traffic share.
  - 13. The method according to claim 11, wherein identifying the source network address within the suspect subset of network addresses further comprises selecting source network addresses using entropy-based clustering procedures based on the source network address flow share being greater than a flow share threshold value.
  - 14. The method according to claim 13, wherein selecting source network addresses using entropy-based clustering procedures comprises iteratively selecting source network addresses and reducing the flow share threshold value by an exponentially decreasing factor following each iteration.
  - 15. The method according to claim 11, wherein identifying the source network address within the suspect subset of network addresses further comprises analyzing distributions of flow traffic volume based on traffic flow volume quartiles.
  - 16. The method according to claim 1, wherein the network traffic data includes traffic volume, dropped network connections, passed through connections or network device related events.
  - 17. The method according to claim 1, wherein the plurality of subsets of network addresses are mutually exclusive subsets that include at least one first size subset and at least one second size subset that is different from the first size subset.

18. A computer program product comprising:
- a computer readable storage medium having computer readable program code embodied therein, the computer readable program code comprising;
  
  computer readable program code configured to collect network traffic data corresponding to a plurality of subsets of network addresses during a predefined time interval;
  
  computer readable program code configured to generate an anomalous event alert for the plurality of subsets of network addresses that corresponds to anomalous network activity based on the network traffic data and using at least one of a plurality of anomaly detection metrics;
  
  computer readable program code configured to identify a suspect subset of the plurality of subsets of network addresses that corresponds to anomalous network activity using an odds ratio test on results from the at least one of the plurality of anomaly detection metrics; and
  
  computer readable program code configured to identify a source network address within the suspect subset of network addresses that corresponds to the anomalous network activity.
- View Dependent Claims (19, 20)
- - 19. The computer program product according to claim 18, wherein the computer readable program code configured to generate the anomalous event alert comprises:
    - computer readable program code configured to determine a total network traffic volume in the predefined time interval;
      
      computer readable program code configured to determine a standardized entropy of a distribution of traffic share of the plurality of subsets of network addresses in the predefined time interval; and
      
      computer readable program code configured to estimate a relative entropy of a distribution of traffic share of the plurality of subsets of network addresses in the predefined time interval.
  - 20. The computer program product according to claim 19, wherein the computer readable program code configured to generate the anomalous event alert further comprises:
    - computer readable program code configured to compare determined values corresponding to the total network traffic volume, the standardized entropy and the relative entropy to predicted values of the total network traffic volume, the standardized entropy and the relative entropy to determine a total volume deviation score, a standardized entropy deviation score and a relative entropy deviation score;
      
      computer readable program code configured to determine a statistical significance corresponding to each of the total volume deviation score, the standardized entropy deviation score and the relative entropy deviation score for the plurality of subsets of network addresses; and
      
      computer readable program code configured to generate the alert for the plurality of subsets of network addresses responsive to determining that any of the total volume deviation score, the standardized entropy deviation score or the relative entropy deviation score is statistically significant.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Ehrlich, Willa, Hoeflin, David, Chakka, Ratna, Fermon, Eric, Ortiz, Manuel

Granted Patent

US 8,874,763 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/228
CPC Class Codes

H04L 41/142   using statistical or mathem...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 63/1475   Passive attacks, e.g. eaves...

Methods, Devices and Computer Program Products for Actionable Alerting of Malevolent Network Addresses Based on Generalized Traffic Anomaly Analysis of IP Address Aggregates

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, Devices and Computer Program Products for Actionable Alerting of Malevolent Network Addresses Based on Generalized Traffic Anomaly Analysis of IP Address Aggregates

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links