METHOD AND SYSTEM FOR CONFIDENT ANOMALY DETECTION IN COMPUTER NETWORK TRAFFIC
First Claim
Patent Images
1. A method for detecting and classifying network traffic anomalies, comprising:
- receiving a packet of information related to network traffic;
passing said packet to one or a plurality of network traffic analyzers;
at least some of said network traffic analyzers capable of applying an analytical algorithm to information contained in said packet that is different from the analytical algorithm applied by another of said network traffic analyzers;
receiving results of analysis performed by said analyzers;
evaluating results of analysis performed by said analyzers as a collection;
determining if the result of evaluation signifies a network traffic anomaly; and
emitting an alert if the result of evaluation signifies a network traffic anomaly.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention relates to systems and methods for detecting anomalies in computer network traffic with fewer false positives and without the need for time-consuming and unreliable historical baselines. Upon detection, traffic anomalies can be processed to determine valuable network insights, including health of interfaces, devices and network services, as well as to provide timely alerts in the event of attack.
-
Citations
14 Claims
-
1. A method for detecting and classifying network traffic anomalies, comprising:
-
receiving a packet of information related to network traffic; passing said packet to one or a plurality of network traffic analyzers; at least some of said network traffic analyzers capable of applying an analytical algorithm to information contained in said packet that is different from the analytical algorithm applied by another of said network traffic analyzers; receiving results of analysis performed by said analyzers; evaluating results of analysis performed by said analyzers as a collection; determining if the result of evaluation signifies a network traffic anomaly; and emitting an alert if the result of evaluation signifies a network traffic anomaly. - View Dependent Claims (2)
-
-
3. A method for detecting and classifying network traffic anomalies, comprising:
-
receiving a stream of packets of information related to network traffic; passing at least of portion of said stream of information packets to a network traffic analyzer; applying at least one analytical algorithm to said portion of said stream of information packets; determining if said applying step indicates the existence of a network traffic anomaly; and emitting an alert if a network traffic anomaly is detected; wherein said applying and said determining step are practiced prior to any step of permanently storing said portion of said stream of information packets.
-
-
4. A method for assessing the condition of an interface of a network device, comprising:
-
receiving a stream of packets of information related to network traffic passing through said network device interface; passing at least of portion of said stream of information packets to a network traffic analyzer; applying at least one analytical algorithm to said portion of said stream of information packets; wherein said applying step computes a metric for assessing operational condition of said network device interface; emitting an alert if said computed metric indicates an abnormal operational condition of said network device interface; wherein said applying and said metric computation are practiced prior to any step of permanently storing said portion of said stream of information packets. - View Dependent Claims (5, 6, 7)
-
-
8. A system for detecting and classifying network traffic anomalies, comprising:
-
a network traffic monitor for receiving a packet of information related to network traffic and selectively passing said packet to one or a plurality of network traffic analyzers; at least some of said network traffic analyzers capable of applying an analytical algorithm to information contained in said packet that is different from the analytical algorithm applied by another of said network traffic analyzers; a network anomaly detector for receiving results of analysis performed by said analyzers, said network anomaly detector capable of evaluating results of analysis performed by said analyzers as a collection, determining if the result of evaluation signifies a network traffic anomaly and emitting an alert if the result of evaluation signifies a network traffic anomaly. - View Dependent Claims (9)
-
-
10. A system for detecting and classifying network traffic anomalies, comprising:
-
a network traffic monitor for receiving a stream of packets of information related to network traffic and passing at least of portion of said stream of information packets to a network traffic analyzer; said network traffic analyzer capable of applying at least one analytical algorithm to said portion of said stream of information packets and determining if the results thereof indicate the existence of a network traffic anomaly and emitting an alert if a network traffic anomaly is detected; wherein said network traffic analyzer performs at least a portion of applying and determining actions prior to permanently storing said portion of said stream of information packets.
-
-
11. A system for assessing the condition of an interface of a network device, comprising:
-
a network traffic monitor for receiving a stream of packets of information related to network traffic passing through said network device interface and passing at least of portion of said stream of information packets to a network traffic analyzer; said network traffic analyzer capable of applying at least one analytical algorithm to said portion of said stream of information packets to compute a metric for assessing operational condition of said network device interface; a network anomaly detector for receiving said computed metric and emitting an alert if said computed metric indicates an abnormal operational condition of said network device interface; wherein said network traffic analyzer performs said metric computation prior to permanently storing said portion of said stream of information packets. - View Dependent Claims (12, 13, 14)
-
Specification