Vector-Based Anomaly Detection
First Claim
1. A method of detecting anomalous behavior of a network fabric, the method comprising:
- characterizing a nominal behavior of a fabric as a baseline vector of behavior metrics having nominal values, the fabric comprising networked nodes;
establishing anomaly detection criteria as a function of a variation from the baseline vector, the detection criteria defining a fabric anomalous behavior;
disaggregating the anomaly detection criteria into a plurality of anomaly criterion;
disseminating the plurality of anomaly criterion among nodes of the fabric;
calculating, by the receiving nodes, anomaly criterion statuses at each receiving node as a function the node'"'"'s anomaly criterion and a measured vector of behavior metrics;
aggregating anomaly criterion statuses from at least some of the receiving nodes;
detecting satisfaction of the anomaly detection criteria as a function of the anomaly criterion statuses indicating occurrence of the fabric anomalous behavior relative to the nominal behavior; and
notifying a manager of the fabric anomalous behavior.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods of detecting anomalous behaviors associated with a fabric are presented. A network fabric can comprise many fungible networking nodes, preferably hybrid-fabric apparatus capable of routing general purpose packet data and executing distributed applications. A nominal behavior can be established for the fabric and represented by a baseline vector of behavior metrics. Anomaly detection criteria can be derived as a function of a variation from the baseline vector based on measured vectors of behavior metrics. Nodes in the fabric can provide a status for one or more anomaly criterion, which can be aggregated to determine if an anomalous behavior has occurred, is occurring, or is about to occur.
-
Citations
19 Claims
-
1. A method of detecting anomalous behavior of a network fabric, the method comprising:
-
characterizing a nominal behavior of a fabric as a baseline vector of behavior metrics having nominal values, the fabric comprising networked nodes; establishing anomaly detection criteria as a function of a variation from the baseline vector, the detection criteria defining a fabric anomalous behavior; disaggregating the anomaly detection criteria into a plurality of anomaly criterion; disseminating the plurality of anomaly criterion among nodes of the fabric; calculating, by the receiving nodes, anomaly criterion statuses at each receiving node as a function the node'"'"'s anomaly criterion and a measured vector of behavior metrics; aggregating anomaly criterion statuses from at least some of the receiving nodes; detecting satisfaction of the anomaly detection criteria as a function of the anomaly criterion statuses indicating occurrence of the fabric anomalous behavior relative to the nominal behavior; and notifying a manager of the fabric anomalous behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 18, 19)
-
-
14. The method of claim 14, further comprising automatically responding to the anomalous behavior according to a priori defined action based at least in part of the anomaly type.
Specification