EVENT CORRELATION IN A NETWORK MERGING LOCAL GRAPH MODELS FROM DISTRIBUTED NODES

US 20160219066A1
Filed: 01/26/2015
Published: 07/28/2016
Est. Priority Date: 01/26/2015
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

receiving, at a device in a network, an indication of a network anomaly detected by a first graph-based anomaly detection model hosted by a first node in the network;

identifying, by the device, one or more additional graph-based anomaly detection models based on the network anomaly detected by the first graph-based anomaly detection model;

correlating, by the device, one or more network events from the one or more additional graph-based anomaly detection models with the network anomaly detected by the first graph-based anomaly detection model; and

identifying, by the device, a cause of the network anomaly using the one or more network events from the one or more additional graph-based anomaly detection models that are correlated with the network anomaly detected by the first graph-based anomaly detection model.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a device in a network receives an indication of a network anomaly detected by a first graph-based anomaly detection model hosted by a first node in the network. The device identifies one or more additional graph-based anomaly detection models based on the network anomaly detected by the first graph-based anomaly detection model. The device correlates one or more network events from the one or more additional graph-based anomaly detection models with the network anomaly detected by the first graph-based anomaly detection model. The device identifies a cause of the network anomaly using the one or more network events from the one or more additional graph-based anomaly detection models that are correlated with the network anomaly detected by the first graph-based anomaly detection model.

141 Citations

29 Claims

1. A method comprising:
- receiving, at a device in a network, an indication of a network anomaly detected by a first graph-based anomaly detection model hosted by a first node in the network;
  
  identifying, by the device, one or more additional graph-based anomaly detection models based on the network anomaly detected by the first graph-based anomaly detection model;
  
  correlating, by the device, one or more network events from the one or more additional graph-based anomaly detection models with the network anomaly detected by the first graph-based anomaly detection model; and
  
  identifying, by the device, a cause of the network anomaly using the one or more network events from the one or more additional graph-based anomaly detection models that are correlated with the network anomaly detected by the first graph-based anomaly detection model.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method as in claim 1, wherein the network anomaly is indicative of an attack on the network.
  - 3. The method as in claim 1, wherein the first graph-based anomaly detection model and the one or more additional graph-based anomaly detection models are hosted by different nodes in the network and model different subsets of the network.
  - 4. The method as in claim 1, further comprising:
    - confirming, by the device, the network anomaly detected by the first node.
  - 5. The method as in claim 1, wherein confirming the network anomaly detected by the first node comprises:
    - providing, by the device, information regarding the network anomaly detected by the first graph-based anomaly detection model to a user interface device; and
      
      receiving, by the device, a confirmation via the user interface device that the network anomaly detected by the first graph-based anomaly detection model is anomalous.
  - 6. The method as in claim 1, further comprising:
    - receiving, at the device, data regarding the first graph-based anomaly detection model from the first node and data regarding the one or more additional graph-based anomaly detection models from one or more other nodes in the network.
  - 7. The method as in claim 6, further comprising:
    - requesting, by the device, the data regarding the first graph-based anomaly detection model from the first node and the data regarding the one or more additional graph-based anomaly detection models from the one or more other nodes in the network.
  - 8. The method as in claim 1, wherein the one or more network events and the network anomaly are correlated temporally or topographically.
  - 9. The method as in claim 1, wherein the device correlates the one or more network events with the network anomaly by:
    - identifying, by the device, one or more traffic flows from the one or more additional graph-based anomaly detection models and are associated with the detected network anomaly; and
      
      identifying, by the device, a set of one or more nodes associated with the one or more traffic flows.
  - 10. The method as in claim 1, wherein a particular one of the one or more network events correlated to the network anomaly is also a network anomaly detected by a particular one of the one or more additional graph-based anomaly detection models.
  - 11. The method as in claim 1, further comprising:
    - causing, by the device, a particular node in the network to perform an anomaly mitigation operation, wherein the particular node is identified based on the cause of the network anomaly.
  - 12. The method as in claim 11, wherein one or more traffic flows associated with the network anomaly flow through the particular node, and wherein the anomaly mitigation operation corresponds to the particular node blocking the one or more traffic flows associated with the network anomaly.
  - 13. The method as in claim 11, wherein the particular node is the first node.
  - 14. The method as in claim 11, wherein the particular node does not host a graph-based anomaly detection model.
  - 15. The method as in claim 1, wherein the first graph-based anomaly detection model comprises an ego-centric graph that represents nodes in the network.

16. A method, comprising:
- maintaining, at a first device in a network, a graph-based anomaly detection model for a set of nodes in the network;
  
  detecting, by the first device, a network anomaly using the graph-based anomaly detection model;
  
  reporting by the first device, the detected network anomaly to a second device; and
  
  providing, by the first device, data regarding the graph-based anomaly detection model for the set of nodes to the second device.
- View Dependent Claims (17, 18, 19)
- - 17. The method as in claim 16, wherein the graph-based anomaly detection model comprises an ego-centric graph that represents the set of nodes.
  - 18. The method as in claim 16, wherein the first device provides the data regarding the graph-based anomaly detection model to the second device in response to receiving a request for the data from the second device.
  - 19. The method as in claim 16, further comprising:
    - receiving, at the first device, an instruction from the second device to perform an anomaly mitigation operation.

20. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the one or more network interfaces and configured to execute a process; and
  
  a memory configured to store the process executable by the processor, the process when executed operable to;
  
  receive an indication of a network anomaly detected by a first graph-based anomaly detection model hosted by a first node in the network;
  
  identify one or more additional graph-based anomaly detection models based on the network anomaly detected by the first graph-based anomaly detection model;
  
  correlate one or more events from the one or more additional graph-based anomaly detection models with the network anomaly detected by the first graph-based anomaly detection model; and
  
  identify a cause of the network anomaly using the one or more network events from the one or more additional graph-based anomaly detection models that are correlated with the network anomaly detected by the first graph-based anomaly detection model.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. The apparatus as in claim 20, wherein the network anomaly is indicative of an attack on the network.
  - 22. The apparatus as in claim 20, wherein the first graph-based anomaly detection model and the one or more additional graph-based anomaly detection models are hosted by different nodes in the network and model different subsets of the network.
  - 23. The apparatus as in claim 20, wherein the first graph-based anomaly detection model comprises an ego-centric graph that represents nodes in the network.
  - 24. The apparatus as in claim 20, wherein the apparatus identifies the one or more network events correlated to the network anomaly by:
    - identifying one or more traffic flows from the one or more additional graph-based anomaly detection models and are associated with the network anomaly detected by the first node; and
      
      identifying a set of one or more nodes associated with the one or more traffic flows.
  - 25. The apparatus as in claim 20, wherein a particular one of the one or more network events correlated to the network anomaly is also a network anomaly detected by a particular one of the one or more additional graph-based anomaly detection models.
  - 26. The apparatus as in claim 20, wherein the process when executed is further operable to:
    - cause a particular node in the network to perform an anomaly mitigation operation, wherein the particular node is identified based on the cause of the network anomaly.

27. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the one or more network interfaces and configured to execute a process; and
  
  a memory configured to store the process executable by the processor, the process when executed operable to;
  
  maintain a graph-based anomaly detection model for a set of nodes in the network;
  
  detect a network anomaly using the graph-based anomaly detection model;
  
  report the detected network anomaly to a device in the network; and
  
  provide data regarding the graph-based anomaly detection model for the set of nodes to the device.
- View Dependent Claims (28, 29)
- - 28. The apparatus as in claim 27, wherein the process when executed is further operable to:
    - receive an instruction from the second device to perform an anomaly mitigation operation.
  - 29. The apparatus as in claim 27, wherein the graph-based anomaly detection model comprises an ego-centric graph that represents the set of nodes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Vasseur, Jean-Philippe, Mermoud, Grgory, Cruz Mota, Javier

Application Number

US14/605,916
Publication Number

US 20160219066A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/1458 Denial of Service

EVENT CORRELATION IN A NETWORK MERGING LOCAL GRAPH MODELS FROM DISTRIBUTED NODES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

141 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

EVENT CORRELATION IN A NETWORK MERGING LOCAL GRAPH MODELS FROM DISTRIBUTED NODES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

141 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links