Vector-Based Anomaly Detection
First Claim
1. A hybrid-fabric apparatus for detecting anomalous behavior of a network fabric comprising a plurality of network nodes, the hybrid-fabric apparatus comprising:
- a black box memory configured to store a plurality of behavior metrics; and
an anomaly agent coupled with the black box and configured to;
characterize a nominal behavior of a fabric as a baseline vector comprising at least two correlated behavior metrics selected from the plurality of behavior metrics, the at least two correlated behavior metrics having nominal values,establish anomaly detection criteria as a function of a variation from the baseline vector, the detection criteria defining a fabric anomalous behavior,disaggregate the anomaly detection criteria into a plurality of anomaly criterion,aggregate anomaly criterion statuses from at least some of the plurality of network nodes, each anomaly criterion status being calculated by a network node as a function of the node'"'"'s anomaly criterion and a measured vector of behavior metrics;
detect satisfaction of the anomaly detection criteria as a function of the anomaly criterion statuses indicating occurrence of the fabric anomalous behavior relative to the nominal behavior, andpresent to a user the fabric anomalous behavior.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods of detecting anomalous behaviors associated with a fabric are presented. A network fabric can comprise many fungible networking nodes, preferably hybrid-fabric apparatus capable of routing general purpose packet data and executing distributed applications. A nominal behavior can be established for the fabric and represented by a baseline vector of behavior metrics. Anomaly detection criteria can be derived as a function of a variation from the baseline vector based on measured vectors of behavior metrics. Nodes in the fabric can provide a status for one or more anomaly criterion, which can be aggregated to determine if an anomalous behavior has occurred, is occurring, or is about to occur.
-
Citations
19 Claims
-
1. A hybrid-fabric apparatus for detecting anomalous behavior of a network fabric comprising a plurality of network nodes, the hybrid-fabric apparatus comprising:
-
a black box memory configured to store a plurality of behavior metrics; and an anomaly agent coupled with the black box and configured to; characterize a nominal behavior of a fabric as a baseline vector comprising at least two correlated behavior metrics selected from the plurality of behavior metrics, the at least two correlated behavior metrics having nominal values, establish anomaly detection criteria as a function of a variation from the baseline vector, the detection criteria defining a fabric anomalous behavior, disaggregate the anomaly detection criteria into a plurality of anomaly criterion, aggregate anomaly criterion statuses from at least some of the plurality of network nodes, each anomaly criterion status being calculated by a network node as a function of the node'"'"'s anomaly criterion and a measured vector of behavior metrics; detect satisfaction of the anomaly detection criteria as a function of the anomaly criterion statuses indicating occurrence of the fabric anomalous behavior relative to the nominal behavior, and present to a user the fabric anomalous behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A network fabric system comprising:
-
a plurality of network nodes; and an anomaly agent coupled with the plurality of network nodes and configured to; characterize a nominal behavior of a fabric as a baseline vector comprising at least two correlated behavior metrics having nominal values, establish anomaly detection criteria as a function of a variation from the baseline vector, the detection criteria defining a fabric anomalous behavior, disaggregate the anomaly detection criteria into a plurality of anomaly criterion, aggregate anomaly criterion statuses from at least some of the plurality of network nodes, each anomaly criterion status being calculated by a network node as a function of the node'"'"'s anomaly criterion and a measured vector of behavior metrics; detect satisfaction of the anomaly detection criteria as a function of the anomaly criterion statuses indicating occurrence of the fabric anomalous behavior relative to the nominal behavior, and present to a user the fabric anomalous behavior.
-
Specification