SYSTEMS, APPARATUS, AND METHODS FOR NETWORK DATA ANALYSIS
First Claim
1. A method for detecting an anomaly on a computer network comprising:
- generating a time series of network traffic values;
calculating a deviation score for at least one analyzed time entry in the time series;
detecting an anomaly at the analyzed time entry if the deviation score is outside a range;
identifying a first group of IP addresses corresponding to a first time-window that corresponds to the analyzed time entry where the anomaly occurred;
identifying a second group of IP addresses corresponding to a second time-window that corresponds to the analyzed time entry where the anomaly occurred; and
identifying a third group of IP addresses by comparing the first group of IP addresses to the second group of IP addresses for determining whether one or more of the IP addresses in the third group is responsible for the anomaly.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are disclosed for analyzing network traffic data to detect anomalies in the data and determine their causes. In one implementation, a system includes a processor and a memory. The memory stores instructions that cause the processor to generate a time series of network traffic values. The processor calculates deviation scores for time entries within the time series and detects anomalies in the time series by comparing the deviation score to a predetermined range. If the processor detects an anomaly, it may determine a list of IP addresses of computers on the network that may have caused the anomaly.
-
Citations
20 Claims
-
1. A method for detecting an anomaly on a computer network comprising:
-
generating a time series of network traffic values; calculating a deviation score for at least one analyzed time entry in the time series; detecting an anomaly at the analyzed time entry if the deviation score is outside a range; identifying a first group of IP addresses corresponding to a first time-window that corresponds to the analyzed time entry where the anomaly occurred; identifying a second group of IP addresses corresponding to a second time-window that corresponds to the analyzed time entry where the anomaly occurred; and identifying a third group of IP addresses by comparing the first group of IP addresses to the second group of IP addresses for determining whether one or more of the IP addresses in the third group is responsible for the anomaly. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A network data analysis system for detecting an anomaly on a computer network comprising:
-
a processor; and a memory coupled to the processor, the memory storing instructions to direct the processor to perform operations comprising; generating a time series of network traffic values; calculating a deviation score for at least one analyzed time entry in the time series; detecting an anomaly at the analyzed time entry if the deviation score is outside a range; identifying a first group of IP addresses corresponding to a first time-window that corresponds to the analyzed time entry where the anomaly occurred; identifying a second group of IP addresses corresponding to a second time-window that corresponds to the analyzed time entry where the anomaly occurred; and identifying a third group of IP addresses by comparing the first group of IP addresses to the second group of IP addresses for determining whether one or more of the IP addresses in the third group is responsible for the anomaly. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A computer-readable storage device storing instructions for analyzing network data, the instructions causing one or more computer processors to perform operations, comprising:
-
generating a time series of network traffic values; calculating a deviation score for at least one analyzed time entry in the time series; detecting an anomaly at the analyzed time entry if the deviation score is outside a range; identifying a first group of IP addresses corresponding to a first time-window that corresponds to the analyzed time entry where the anomaly occurred; identifying a second group of IP addresses corresponding to a second time-window that corresponds to the analyzed time entry where the anomaly occurred; and identifying a third group of IP addresses by comparing the first group of IP addresses to the second group of IP addresses for determining whether one or more of the IP addresses in the third group is responsible for the anomaly. - View Dependent Claims (17, 18, 19, 20)
-
Specification