EVENT CORRELATION IN A NETWORK MERGING LOCAL GRAPH MODELS FROM DISTRIBUTED NODES
First Claim
1. A method comprising:
- receiving, at a device in a network, an indication of a network anomaly detected by a first graph-based anomaly detection model hosted by a first node in the network;
identifying, by the device, one or more additional graph-based anomaly detection models based on the network anomaly detected by the first graph-based anomaly detection model;
correlating, by the device, one or more network events from the one or more additional graph-based anomaly detection models with the network anomaly detected by the first graph-based anomaly detection model; and
identifying, by the device, a cause of the network anomaly using the one or more network events from the one or more additional graph-based anomaly detection models that are correlated with the network anomaly detected by the first graph-based anomaly detection model.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a device in a network receives an indication of a network anomaly detected by a first graph-based anomaly detection model hosted by a first node in the network. The device identifies one or more additional graph-based anomaly detection models based on the network anomaly detected by the first graph-based anomaly detection model. The device correlates one or more network events from the one or more additional graph-based anomaly detection models with the network anomaly detected by the first graph-based anomaly detection model. The device identifies a cause of the network anomaly using the one or more network events from the one or more additional graph-based anomaly detection models that are correlated with the network anomaly detected by the first graph-based anomaly detection model.
141 Citations
29 Claims
-
1. A method comprising:
-
receiving, at a device in a network, an indication of a network anomaly detected by a first graph-based anomaly detection model hosted by a first node in the network; identifying, by the device, one or more additional graph-based anomaly detection models based on the network anomaly detected by the first graph-based anomaly detection model; correlating, by the device, one or more network events from the one or more additional graph-based anomaly detection models with the network anomaly detected by the first graph-based anomaly detection model; and identifying, by the device, a cause of the network anomaly using the one or more network events from the one or more additional graph-based anomaly detection models that are correlated with the network anomaly detected by the first graph-based anomaly detection model. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method, comprising:
-
maintaining, at a first device in a network, a graph-based anomaly detection model for a set of nodes in the network; detecting, by the first device, a network anomaly using the graph-based anomaly detection model; reporting by the first device, the detected network anomaly to a second device; and providing, by the first device, data regarding the graph-based anomaly detection model for the set of nodes to the second device. - View Dependent Claims (17, 18, 19)
-
-
20. An apparatus, comprising:
-
one or more network interfaces to communicate with a network; a processor coupled to the one or more network interfaces and configured to execute a process; and a memory configured to store the process executable by the processor, the process when executed operable to; receive an indication of a network anomaly detected by a first graph-based anomaly detection model hosted by a first node in the network; identify one or more additional graph-based anomaly detection models based on the network anomaly detected by the first graph-based anomaly detection model; correlate one or more events from the one or more additional graph-based anomaly detection models with the network anomaly detected by the first graph-based anomaly detection model; and identify a cause of the network anomaly using the one or more network events from the one or more additional graph-based anomaly detection models that are correlated with the network anomaly detected by the first graph-based anomaly detection model. - View Dependent Claims (21, 22, 23, 24, 25, 26)
-
-
27. An apparatus, comprising:
-
one or more network interfaces to communicate with a network; a processor coupled to the one or more network interfaces and configured to execute a process; and a memory configured to store the process executable by the processor, the process when executed operable to; maintain a graph-based anomaly detection model for a set of nodes in the network; detect a network anomaly using the graph-based anomaly detection model; report the detected network anomaly to a device in the network; and provide data regarding the graph-based anomaly detection model for the set of nodes to the device. - View Dependent Claims (28, 29)
-
Specification