NETWORK ANOMALY DETECTION

US 20150341379A1
Filed: 05/22/2014
Published: 11/26/2015
Est. Priority Date: 05/22/2014
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method, comprising:

generating, by one or more computers, a network map comprising at least a plurality of network nodes and a plurality of edges that indicate communications paths between the plurality of network nodes;

obtaining, by at least one of the one or more computers, network node information comprising an indication of a node type for each of the plurality of network nodes and network activity data indicating typical network activity for each of the node types;

obtaining, by at least one of the one or more computers, first data indicating network activity over the edges and between the plurality of network nodes for a first time period;

generating, by at least one of the one or more computers, a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map, the network node information, and the first data;

obtaining, by at least one of the one or more computers, second data indicating network activity over the edges and between the plurality of network nodes for a second time period; and

determining, by at least one of the one or more computers, a node anomaly score for each of at least some of the plurality of network nodes using a comparison between the second data and the model of expected network activity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining network related anomaly scores. One of the methods includes generating a network map including at least a plurality of network nodes and a plurality of edges that indicate communications paths between the plurality of network nodes, obtaining first data indicating network activity over the edges and between the plurality of network nodes for a first time period, generating a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map and the first data, obtaining second data indicating network activity over the edges and between the plurality of network nodes for a second time period, and determining an anomaly score using a comparison between the second data and the model of expected network activity.

233 Citations

29 Claims

1. A computer implemented method, comprising:
- generating, by one or more computers, a network map comprising at least a plurality of network nodes and a plurality of edges that indicate communications paths between the plurality of network nodes;
  
  obtaining, by at least one of the one or more computers, network node information comprising an indication of a node type for each of the plurality of network nodes and network activity data indicating typical network activity for each of the node types;
  
  obtaining, by at least one of the one or more computers, first data indicating network activity over the edges and between the plurality of network nodes for a first time period;
  
  generating, by at least one of the one or more computers, a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map, the network node information, and the first data;
  
  obtaining, by at least one of the one or more computers, second data indicating network activity over the edges and between the plurality of network nodes for a second time period; and
  
  determining, by at least one of the one or more computers, a node anomaly score for each of at least some of the plurality of network nodes using a comparison between the second data and the model of expected network activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein determining the node anomaly score for each of at least some of the plurality of network nodes comprises:
    - determining, by at least one of the one or more computers and for a particular network node from the plurality of network nodes, an edge anomaly score for each of the edges between the particular network node and the other network nodes in the plurality of network nodes that have communications paths with the particular network node; and
      
      aggregating the edge anomaly scores for each edge connected to the particular network node to determine the node anomaly score for the particular network node.
  - 3. The method of claim 2, wherein aggregating the edge anomaly scores for each edge connected to the particular network node to determine the node anomaly score comprises aggregating the edge anomaly scores using Bayesian inference.
  - 4. The method of claim 1, wherein using the comparison between the second data and the model of expected network activity comprises determining whether the second data indicates that a given network node is sending larger packets or using different network protocols than the model of expected network activity indicates for the given network node.
  - 5. The method of claim 1, wherein the first time period, the future time period, and the second time period have the same length.
  - 6. The method of claim 1, comprising determining whether a particular node anomaly score for a particular network node is greater than a threshold anomaly score.
  - 7. The method of claim 6, comprising sending an event message upon determining that the particular node anomaly score for the particular network node is greater than the threshold anomaly score.
  - 8. The method of claim 7, comprising receiving a reply to the event message that indicates one or more actions to perform in response to determining that the particular node anomaly score for the particular network node is greater than the threshold anomaly score.
  - 9. The method of claim 8, comprising performing at least one of the actions with respect to the particular network node that corresponds with the particular node anomaly score.
  - 10. The method of claim 6, comprising performing at least one action with respect to the particular network node in response to determining that the particular node anomaly score for the particular network node is greater than the threshold anomaly score.
  - 11. The method of claim 10, wherein the at least one of the actions comprises at least one of presenting information to a user about the particular network node, disconnecting the particular network node from a network, restricting inbound or outbound bandwidth of the particular network node, preventing the particular network node from sending or receiving particular types of network traffic, rerouting network traffic that has the particular network node as a destination, quarantining the particular network node, disabling the particular network node, creating a computer-implemented network rule for the particular network node, silently discarding at least some of the network traffic corresponding to the particular network node, transitioning an application executing on the particular network node to another network node, or blocking network traffic that has the particular network node as a destination.
  - 12. The method of claim 1, wherein determining the node anomaly score for each of at least some of the plurality of network nodes comprises:
    - determining, by at least one of the one or more computers and for a particular network node from the plurality of network nodes, a standard deviation of a packet size or a packet quantity of the particular network node using the model of expected network activity; and
      
      determining the node anomaly score for the particular network node using the standard deviation and the second data.

13. A system comprising:
- one or more computers, including a monitoring, the monitoring device having a communications interface, and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising;
  
  generating, by at least one of the one or more computers, a network map comprising at least a plurality of network nodes and a plurality of edges that indicate communications paths between the plurality of network nodes;
  
  obtaining, by at least one of the one or more computers, network node information comprising an indication of a node type for each of the plurality of network nodes and network activity data indicating typical network activity for each of the node types;
  
  obtaining, by at least one of the one or more computers, first data indicating network activity over the edges and between the plurality of network nodes for a first time period;
  
  generating, by at least one of the one or more computers, a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map, the network node information, and the first data;
  
  obtaining, by the monitoring device and via the communications interface, second data indicating network activity over the edges and between the plurality of network nodes for a second time period; and
  
  determining, by the monitoring device, an edge anomaly score for each of at least some of the plurality of edges using a comparison between the second data and the model of expected network activity.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system of claim 13, wherein the operations comprise:
    - aggregating the edge anomaly scores for each edge connected to a particular network node to determine a node anomaly score for the particular network node.
  - 15. The system of claim 13, wherein the operations comprise:
    - comparing the node anomaly score with a threshold anomaly score; and
      
      sending an event message upon determining that the node anomaly score is greater than the threshold anomaly score.
  - 16. The system of claim 13, comprising determining whether a particular node anomaly score for a particular network node is greater than a threshold anomaly score.
  - 17. The system of claim 16, comprising performing at least one action with respect to the particular network node in response to determining whether the particular node anomaly score for the particular network node is greater than the threshold anomaly score.
  - 18. The system of claim 13, wherein determining the edge anomaly score for each of at least some of the plurality of edges comprises:
    - determining, by at least one of the one or more computers and for a particular edge from the plurality of edges, a standard deviation of a packet size or a packet quantity of the particular edge using the model of expected network activity; and
      
      determining the edge anomaly score for the particular edge using the standard deviation and the second data.
  - 19. The system of claim 13, wherein the monitoring device obtains at least some of the second data via the communications interface from a logical or physical interface of another device that mirrors a copy of at least some network traffic that passes through the other device to the monitoring device.
  - 20. The system of claim 19, wherein the logical or physical interface comprises a span port.
  - 21. The system of claim 19, wherein the one or more computers obtain at least some of the first data from the logical or physical interface of the other device that mirrors a copy of at least some network traffic that passes through the other device to the monitoring device.
  - 22. The system of claim 13, wherein the operations comprise:
    - determining, by the monitoring device, whether a connection, that corresponds with the edge anomaly score and between a network node and another network node with which the network node does not normally communicate, indicates that the network node sent packets to or received packets from the other network node; and
      
      determining the edge anomaly score using the determination whether the connection indicates that the network node sent packets to or received packets from the other network node with which the network node does not normally communicate.
  - 23. The system of claim 13, wherein the operations comprise:
    - determining, by the monitoring device, whether a connection, that corresponds with the edge anomaly score, typically transfers a specific type of packet, based on the first data, and recently transferred another type of packet, based on the second data; and
      
      determining the edge anomaly score using the determination whether the connection typically transfers the specific type of packet, based on the first data, and recently transferred the other type of packet, based on the second data.
  - 24. The system of claim 23, wherein the specific type of packet comprises an unencrypted packet and the other type of packet comprises an encrypted packet.

25. A computer storage medium encoded with instructions that, when executed by a user device, cause the user device to perform operations comprising:
- generating, by one or more computers, a network map comprising at least a plurality of network nodes and a plurality of edges that indicate communications paths between the plurality of network nodes;
  
  obtaining, by at least one of the one or more computers, network node information comprising an indication of a node type for each of the plurality of network nodes and network activity data indicating typical network activity for each of the node types;
  
  obtaining, by at least one of the one or more computers, first data indicating network activity over the edges and between the plurality of network nodes for a first time period of a first length;
  
  generating, by at least one of the one or more computers, a model of expected network activity over the edges and between the plurality of network nodes for a future time period of the first length using the network map, the network node information, and the first data;
  
  obtaining, by at least one of the one or more computers, second data indicating network activity over the edges and between the plurality of network nodes for a second time period of the first length; and
  
  determining, by at least one of the one or more computers, a node anomaly score for each of at least some of the plurality of network nodes using a comparison between the second data and the model of expected network activity.
- View Dependent Claims (26, 27, 28, 29)
- - 26. The computer storage medium of claim 25, wherein determining the node anomaly score for each of at least some of the plurality of network nodes comprises:
    - determining, by at least one of the one or more computers and for a particular network node from the plurality of network nodes, an edge anomaly score for each of the edges between the particular network node and the other nodes in the plurality of network nodes that have communications paths with the particular network node; and
      
      aggregating the edge anomaly scores for each edge connected to the particular network node to determine the node anomaly score for the particular network node.
  - 27. The computer storage medium of claim 25, wherein the operations comprise:
    - comparing the node anomaly score with a threshold anomaly score; and
      
      sending an event message upon determining that the node anomaly score is greater than the threshold anomaly score.
  - 28. The computer storage medium of claim 25, wherein determining the node anomaly score for each of at least some of the plurality of network nodes comprises:
    - determining, by at least one of the one or more computers and for a particular network node from the plurality of network nodes, a standard deviation of a packet size or a packet quantity of the particular network node using the model of expected network activity; and
      
      determining the node anomaly score for the particular network node using the standard deviation and the second data.
  - 29. The computer storage medium of claim 25, wherein the operations comprise:
    - aggregating the node anomaly scores for each node in a particular network or a particular subnet to determine a network anomaly score for the particular network or a subnet anomaly score for the particular subnet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
Carver, Matthew, Solderitsch, James J., Lefebvre, Michael L., Ellett, Eric, Negm, Walid, DiValentin, Louis William

Granted Patent

US 9,503,467 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

H04L 41/12   Discovery or management of ...

H04L 41/22   comprising specially adapte...

H04L 43/04   Processing captured monitor...

H04L 43/0888   Throughput

H04L 43/0894   Packet rate

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

H04W 12/08   Access security

NETWORK ANOMALY DETECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

233 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK ANOMALY DETECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

233 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links