DETECTING FLOW ANOMALIES

US 20160217056A1
Filed: 01/28/2015
Published: 07/28/2016
Est. Priority Date: 01/28/2015
Status: Abandoned Application

First Claim

Patent Images

1. A method, comprising:

receiving, by a system comprising a non-transitory memory and a processing resource, network data related to a distributed system;

employing, by the system, a statistical model of the distributed system based on the network data to determine a statistical deviation of a given flow of information through a portion of the distributed system;

determining, by the system, a number of statistically deviated flows connected to the given flow based on a context of the distributed system; and

determining, by the system, if the given flow is an anomaly based on the number of statistically deviated flows connected to the given flow.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example method can include receiving network data related to a distributed system. A statistical model of the distributed system based on the network data can be employed to determine a statistical deviation of a given flow of information through a portion of the distributed system. A number of statistically deviated flows connected to the given flow can be determined based on a context of the distributed system. A determination can be made if the given flow is an anomaly based on the number of statistically deviated flows connected to the given flow.

Citations

15 Claims

1. A method, comprising:
- receiving, by a system comprising a non-transitory memory and a processing resource, network data related to a distributed system;
  
  employing, by the system, a statistical model of the distributed system based on the network data to determine a statistical deviation of a given flow of information through a portion of the distributed system;
  
  determining, by the system, a number of statistically deviated flows connected to the given flow based on a context of the distributed system; and
  
  determining, by the system, if the given flow is an anomaly based on the number of statistically deviated flows connected to the given flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein employing the statistical model further comprises inferring missing information during the given flow based on domain knowledge of the given flow and contextual knowledge of the given flow.
  - 3. The method of claim 1, wherein employing the statistical model further comprises estimating information expected to be observed at a destination of the given flow.
  - 4. The method of claim 3, wherein the information comprises at least one of a statistical mean of the information that should be observed at the destination of the given flow or a statistical variance of the information that should be observed at the destination of the given flow.
  - 5. The method of claim 1, wherein discovering the number of statistically deviated flows further comprises determining an elapsed travel time through a start point and an end point related to each statistically deviated flow.
  - 6. The method of claim 1, wherein discovering the number of statistically deviated flows further comprises obtaining an indication of whether the given flow is an anomaly based on the number of statistically deviated flows that are related to the given flow.
  - 7. The method of claim 1, further comprising outputting, by the system, an indication that the given flow is an anomaly.
  - 8. The method of claim 1, wherein the network data comprises source points of flows and end points of flows in the distributed system.
  - 9. The method of claim 8, wherein the network data further comprises time information for at least the source points and the end points of the flows.

10. A non-transitory computer readable medium to store machine readable instructions that when accessed and executed by a processing resource cause a computing device to perform operations, the operations comprising:
- receiving network data comprising source points and end points of a plurality of flows that propagate through different nodes distributed throughout a network;
  
  employing a statistical model of the network based on the network data to determine a statistical deviation of a given flow of the plurality of flows in a distributed system;
  
  determining a number of statistically deviated flows from the plurality of flows connected to the given flow;
  
  determining, if the given flow is an anomaly based on the number of statistically deviated flows connected to the given flow, a strength of the anomaly; and
  
  outputting the strength of the anomaly and a location of the anomaly in the distributed system.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The non-transitory computer readable medium of claim 10, wherein discovering the number of statistically deviated flows further comprises determining a travel time through a corresponding source point and end point related to each statistically deviated flow.
  - 12. The non-transitory computer readable medium of claim 10, wherein discovering the number of statistically deviated flows further comprises obtaining an indication of whether the given flow is an anomaly based on the number of statistically deviated flows that are related to the given flow.
  - 13. The non-transitory computer readable medium of claim 10, wherein employing the statistical model further comprises estimating a statistical mean expected to be observed at a destination of the given flow or a statistical variance expected to be observed at the destination of the given flow.
  - 14. The non-transitory computer readable medium of claim 10, wherein the network data further comprises time information associated with a portion of the plurality of flows.

15. An anomaly detection system, comprising:
- a non-transitory memory to store machine readable instructions; and
  
  a processing resource to access the memory and execute the machine readable instructions, the machine-readable instructions comprising;
  
  a receiver to receive network data comprising source points and end points of a plurality of flows in a distributed system;
  
  a statistical model component to employ a statistical model of the distributed system based on the network data to determine a statistical deviation of a flow of the plurality of flows;
  
  a statistically deviated flow component to discover a number of statistically deviated flows from the plurality of flows connected to the flow based on a time value and a location value related to each statistically deviated flow and determine whether the given flow is an anomaly; and
  
  an output component to output an indication of the anomaly.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
CHUA, FREDDY, Lim, Ee-Peng, Huberman, Bernardo

Application Number

US14/607,247
Publication Number

US 20160217056A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 11/3006   where the computing system ...

G06F 11/3404   for parallel or distributed...

G06F 11/3419   by assessing time

G06F 11/3452   Performance evaluation by s...

DETECTING FLOW ANOMALIES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTING FLOW ANOMALIES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links