SYSTEMS, APPARATUS, AND METHODS FOR NETWORK DATA ANALYSIS

US 20120173710A1
Filed: 03/31/2011
Published: 07/05/2012
Est. Priority Date: 12/31/2010
Status: Active Grant

First Claim

Patent Images

1. A method for detecting an anomaly on a computer network comprising:

generating a time series of network traffic values;

calculating a deviation score for at least one analyzed time entry in the time series;

detecting an anomaly at the analyzed time entry if the deviation score is outside a range;

identifying a first group of IP addresses corresponding to a first time-window that corresponds to the analyzed time entry where the anomaly occurred;

identifying a second group of IP addresses corresponding to a second time-window that corresponds to the analyzed time entry where the anomaly occurred; and

identifying a third group of IP addresses by comparing the first group of IP addresses to the second group of IP addresses for determining whether one or more of the IP addresses in the third group is responsible for the anomaly.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed for analyzing network traffic data to detect anomalies in the data and determine their causes. In one implementation, a system includes a processor and a memory. The memory stores instructions that cause the processor to generate a time series of network traffic values. The processor calculates deviation scores for time entries within the time series and detects anomalies in the time series by comparing the deviation score to a predetermined range. If the processor detects an anomaly, it may determine a list of IP addresses of computers on the network that may have caused the anomaly.

Citations

20 Claims

1. A method for detecting an anomaly on a computer network comprising:
- generating a time series of network traffic values;
  
  calculating a deviation score for at least one analyzed time entry in the time series;
  
  detecting an anomaly at the analyzed time entry if the deviation score is outside a range;
  
  identifying a first group of IP addresses corresponding to a first time-window that corresponds to the analyzed time entry where the anomaly occurred;
  
  identifying a second group of IP addresses corresponding to a second time-window that corresponds to the analyzed time entry where the anomaly occurred; and
  
  identifying a third group of IP addresses by comparing the first group of IP addresses to the second group of IP addresses for determining whether one or more of the IP addresses in the third group is responsible for the anomaly.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein calculating the deviation score includes:
    - generating a first variance by dividing a sum of the network traffic values of time entries corresponding to the first time-window by the network traffic value of the time series for the time entry;
      
      generating a second variance by dividing a sum of the network traffic values of time entries corresponding to the second time-window by the network traffic value of the time series for the time entry; and
      
      calculating the deviation score by dividing the second variance by the first variance.
  - 3. The method according to claim 2, wherein the range for the deviation score is about 0.5 to 1.5.
  - 4. The method according to claim 1, wherein the first time-window is larger than the second time-window.
  - 5. The method according to claim 4, wherein identifying the third group of IP addresses includes:
    - identifying, as the third group of IP addresses, the IP addresses that were included in the second group but were not included in a part of the first group corresponding to a part in the first time-window that does not overlap the second time-window, if the deviation score is greater than 1.5.
  - 6. The method according to claim 5, further comprising:
    - instructing one or more servers on the computer network not to process requests from IP addresses included in the third group.
  - 7. The method according to claim 4, wherein identifying the third group of IP addresses includes:
    - identifying, as the third group of IP addresses, the IP addresses that were included in the first group but not included in the second group, if the deviation score is less than 0.5.
  - 8. The method according to claim 1, wherein the time series represents a number of DNS requests made to a DNS name server.
  - 9. The method according to claim 1, wherein the time series represents a number of IP requests measured by an analyzer at a router or a switch.

10. A network data analysis system for detecting an anomaly on a computer network comprising:
- a processor; and
  
  a memory coupled to the processor, the memory storing instructions to direct the processor to perform operations comprising;
  
  generating a time series of network traffic values;
  
  calculating a deviation score for at least one analyzed time entry in the time series;
  
  detecting an anomaly at the analyzed time entry if the deviation score is outside a range;
  
  identifying a first group of IP addresses corresponding to a first time-window that corresponds to the analyzed time entry where the anomaly occurred;
  
  identifying a second group of IP addresses corresponding to a second time-window that corresponds to the analyzed time entry where the anomaly occurred; and
  
  identifying a third group of IP addresses by comparing the first group of IP addresses to the second group of IP addresses for determining whether one or more of the IP addresses in the third group is responsible for the anomaly.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The network data analysis system according to claim 10, wherein calculating the deviation score includes:
    - generating a first variance by dividing a sum of the network traffic values of time entries corresponding to the first time-window by the network traffic value of the time series for the time entry;
      
      generating a second variance by dividing a sum of the network traffic values of time entries corresponding to the second time-window by the network traffic value of the time series for the time entry; and
      
      calculating the deviation score by dividing the second variance by the first variance.
  - 12. The network data analysis system according to claim 10, wherein identifying the third group of IP addresses includes:
    - identifying, as the third group of IP addresses, the IP addresses that were included in the second group but were not included in a part of the first group corresponding to a part in the first time-window that does not overlap the second time-window, if the deviation score is greater than 1.5.
  - 13. The network data analysis system according to claim 12, the operations performed by the processor further comprising:
    - instructing one or more servers on the computer network not to process requests from IP addresses included in the third group.
  - 14. The network data analysis system according to claim 10, wherein the time series represents a number of DNS requests made to a DNS name server.
  - 15. The network data analysis system according to claim 10, wherein the time series represents a number of IP requests measured by an analyzer at a router or switch.

16. A computer-readable storage device storing instructions for analyzing network data, the instructions causing one or more computer processors to perform operations, comprising:
- generating a time series of network traffic values;
  
  calculating a deviation score for at least one analyzed time entry in the time series;
  
  detecting an anomaly at the analyzed time entry if the deviation score is outside a range;
  
  identifying a first group of IP addresses corresponding to a first time-window that corresponds to the analyzed time entry where the anomaly occurred;
  
  identifying a second group of IP addresses corresponding to a second time-window that corresponds to the analyzed time entry where the anomaly occurred; and
  
  identifying a third group of IP addresses by comparing the first group of IP addresses to the second group of IP addresses for determining whether one or more of the IP addresses in the third group is responsible for the anomaly.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer-readable storage device according to claim 16, wherein calculating the deviation score includes:
    - generating a first variance by dividing a sum of the network traffic values of time entries corresponding to the first time-window by the network traffic value of the time series for the time entry;
      
      generating a second variance by dividing a sum of the network traffic values of time entries corresponding to the second time-window by the network traffic value of the time series for the time entry; and
      
      calculating the deviation score by dividing the second variance by the first variance.
  - 18. The computer-readable storage device according to claim 16, wherein identifying the third group of IP addresses includes:
    - identifying, as the third group of IP addresses, the IP addresses that were included in the second group but were not included in a part of the first group corresponding to a part in the first time-window that does not overlap the second time-window, if the deviation score is greater than 1.5.
  - 19. The computer-readable storage device according to claim 18, the instructions further causing the one or more computer processors to:
    - instruct one or more servers on the computer network not to process requests from IP addresses included in the third group.
  - 20. The computer-readable storage device according to claim 16, wherein identifying the third group of IP addresses includes:
    - identifying, as the third group of IP addresses, the IP addresses that were included in the first group but not included in the second group, if the deviation score is less than 0.5.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
RODRIGUEZ, John

Granted Patent

US 8,935,383 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

SYSTEMS, APPARATUS, AND METHODS FOR NETWORK DATA ANALYSIS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS, APPARATUS, AND METHODS FOR NETWORK DATA ANALYSIS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links