NETWORK STATE INFORMATION CORRELATION TO DETECT ANOMALOUS CONDITIONS

US 20170093907A1
Filed: 09/28/2015
Published: 03/30/2017
Est. Priority Date: 09/28/2015
Status: Active Grant

First Claim

Patent Images

1. A device comprising processing logic to:

receive state information, from a plurality of network devices, the state information corresponding to data relating to an operational state of the plurality of network devices;

generate a plurality of time-series signals corresponding to the received state information;

identify a reference time-series signal from the plurality of time-series signals;

calculate a plurality of correlation values, each of the plurality of plurality of correlation values corresponding to a correlation between the reference time-series signal and one of the plurality of time-series signals; and

output the plurality of correlation values.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

State information relating to the operation of network devices is used to identify network issues and/or anomalies relating to the operation of the network. The state information from the network devices may include time-series signals from a number of the network devices. Correlation values may be obtained between pairs of time-series signals. Pairs of time-series signals that have a relatively high correlation value may be determined to be related to one another. In one implementation, mitigation of the network issues/anomalies may be automatically performed based on calculated correlation values.

38 Citations

View as Search Results

20 Claims

1. A device comprising processing logic to:
- receive state information, from a plurality of network devices, the state information corresponding to data relating to an operational state of the plurality of network devices;
  
  generate a plurality of time-series signals corresponding to the received state information;
  
  identify a reference time-series signal from the plurality of time-series signals;
  
  calculate a plurality of correlation values, each of the plurality of plurality of correlation values corresponding to a correlation between the reference time-series signal and one of the plurality of time-series signals; and
  
  output the plurality of correlation values.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The device of claim 1, wherein identifying the reference time-series signal includes:
    - determining when one of the plurality of time-series signals matches a pattern; and
      
      identifying the reference time-series signal as the time-series signal that matches the pattern.
  - 3. The device of claim 1, wherein identifying the reference time-series signal includes:
    - receiving an alarm signal from one of the plurality of network devices; and
      
      identifying the reference time-series signal as a time-series signal that corresponds to state information generated by the network device from which the alarm was received.
  - 4. The device of claim 1, where the processing logic is further to:
    - sort the correlation values in descending order; and
      
      output the correlation values in the sorted order.
  - 5. The device of claim 1, wherein the network devices include routers and the state information corresponds to traffic throughput measurements at interfaces of the routers.
  - 6. The device of claim 1, further comprising processing logic to:
    - determine network topology information corresponding to a network associated with the plurality of network devices; and
      
      determine, based on the network topology information, time-series signals that correspond to network devices, of the plurality of network devices, that are in the vicinity of the network device associated with the reference time-series signal,wherein the plurality of correlation values are calculated between the reference time-series signals and the time-series signals that are determined to correspond to the network devices in the vicinity of the of the network device associated with the reference time-series signal.
  - 7. The device of claim 6, wherein the network topology information includes connections between the plurality of network devices.
  - 8. The device of claim 6, wherein the network topology information includes information identifying geographical locations of the plurality of network devices.
  - 9. The device of claim 1, wherein the network devices include routers and the device further comprises processing logic to:
    - identify, based on the output correlation values, interfaces of the routers that are under Distributed Denial of Service (DDoS) attack; and
      
      adjust parameters corresponding to the routers to mitigate the effects of the DDoS attack.

10. A method, implemented by one or more computing devices, comprising:
- receiving, by the one or more computing devices, state information, from a plurality of network devices, the state information corresponding to data relating to an operational state of the plurality of network devices;
  
  generating, by the one or more computing devices, a plurality of time-series signals corresponding to the received state information;
  
  identifying, by the one or more computing devices, a reference time-series signal from the plurality of time-series signals;
  
  calculating, by the one or more computing devices, a plurality of correlation values, each corresponding to a correlation between the reference time-series signal and one of the plurality of time-series signals; and
  
  outputting, by the one or more computing devices, the correlation values.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10, wherein identifying the reference time-series signal includes:
    - receiving an alarm signal from one of the plurality of network devices; and
      
      identifying the reference time-series signal as a time-series signal that corresponds to state information generated by the network device from which the alarm was received.
  - 12. The method of claim 10, where the method further comprises:
    - sorting the correlation values in descending order; and
      
      outputting the correlation values in the sorted order.
  - 13. The method of claim 10, wherein the network devices include routers and the state information corresponds to traffic throughput measurements at interfaces of the routers.
  - 14. The method of claim 10, wherein the network devices include routers and the method further comprises:
    - identifying, based on the output correlation values, interfaces of the routers that are under Distributed Denial of Service (DDoS) attack; and
      
      adjusting parameters corresponding to the routers to mitigate the effects of the DDoS attack.

15. A system comprising:
- a database to store traffic throughput measurements received from network interfaces of routers in a network, the traffic throughput measurements representing a plurality of time-series signals;
  
  an anomaly detection component to calculate correlation values between the plurality of time-series signals; and
  
  an anomaly mitigation component to;
  
  detect an occurrence of a Distributed Denial of Service (DDoS) attack in the network;
  
  identify, based on the calculated correlation values, two or more of the network interfaces, of the routers in the network, that are being effected by the DDoS attack; and
  
  adjust parameters, corresponding to the identified network interfaces, to mitigate the effects of the DDoS attack.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein adjusting the parameters includes controlling the routers to drop packets at the identified network interfaces.
  - 17. The system of claim 15, wherein the anomaly detection component, when calculating the correlation values, calculates the correlation values based on a configurable parameter that determines time offsets between different time-series signals.
  - 18. The system of claim 15, wherein the anomaly detection component, when calculating the correlation values, is further to:
    - determine a reference time-series signal; and
      
      calculate the correlation values as correlations between the reference time-series signal and the plurality of time-series signals.
  - 19. The system of claim 15, wherein the anomaly detection component is further to:
    - sort the time-series signals in descending order; and
      
      output the sorted time-series signals to the anomaly mitigation component.
  - 20. The system of claim 15, wherein the anomaly detection component, when calculating the correlation values, is further to:
    - determine network topology information corresponding to a network associated with the routers; and
      
      determine, based on the network topology information, pairs of time-series signals to use to calculate the correlation values.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Srivastava, Ashok N

Granted Patent

US 10,021,130 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 41/0816   the condition being an adap...

H04L 41/0886   Fully automatic configuration

H04L 41/12   Discovery or management of ...

H04L 41/142   using statistical or mathem...

H04L 43/08   Monitoring or testing based...

H04L 43/0817   by checking functioning

H04L 43/0888   Throughput

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

NETWORK STATE INFORMATION CORRELATION TO DETECT ANOMALOUS CONDITIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK STATE INFORMATION CORRELATION TO DETECT ANOMALOUS CONDITIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links