MULTI-DIMENSIONAL SYSTEM ANOMALY DETECTION

US 20180027004A1
Filed: 11/14/2016
Published: 01/25/2018
Est. Priority Date: 07/19/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a device in a network, a first plurality of measurements for network metrics captured during a first time period;

determining, by the device, a first set of correlations between the network metrics using the first plurality of measurements captured during the first time period;

receiving, at the device, a second plurality of measurements for the network metrics captured during a second time period;

determining, by the device, a second set of correlations between the network metrics using the second plurality of measurements captured during the second time period; and

identifying, by the device, a difference between the first and second sets of correlations between the network metrics as a network anomaly.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a device in a network receives a first plurality of measurements for network metrics captured during a first time period. The device determines a first set of correlations between the network metrics using the first plurality of measurements captured during the first time period. The device receives a second plurality of measurements for the network metrics captured during a second time period. The device determines a second set of correlations between the network metrics using the second plurality of measurements captured during the second time period. The device identifies a difference between the first and second sets of correlations between the network metrics as a network anomaly.

41 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving, at a device in a network, a first plurality of measurements for network metrics captured during a first time period;
  
  determining, by the device, a first set of correlations between the network metrics using the first plurality of measurements captured during the first time period;
  
  receiving, at the device, a second plurality of measurements for the network metrics captured during a second time period;
  
  determining, by the device, a second set of correlations between the network metrics using the second plurality of measurements captured during the second time period; and
  
  identifying, by the device, a difference between the first and second sets of correlations between the network metrics as a network anomaly.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as in claim 1, further comprising:
    - generating, by the device, an alert indicative of the network anomaly.
  - 3. The method as in claim 1, further comprising:
    - projecting, by the device, the first and second pluralities of measurements onto one or more hyperplanes that each comprise a hash function, to generate measurement signatures; and
      
      using, by the device, the measurement signatures to determine the first and second sets of correlations.
  - 4. The method as in claim 3, wherein the measurement signatures comprises hashes of the projected first and second pluralities of measurements.
  - 5. The method as in claim 1, further comprising:
    - performing, by the device, spectral analysis on the first and second pluralities of measurements, to determine the first and second sets of correlations.
  - 6. The method as in claim 1, further comprising:
    - generating, by the device, persistence diagrams as sets of topological features from the first and second pluralities of measurements; and
      
      computing, by the device, a distance between the generated persistence diagrams.
  - 7. The method as in claim 6, wherein the topological features comprise clusters and holes of one or more manifolds in which measurements from the first or second pluralities of measurements are data points in the one or more manifolds.
  - 8. The method as in claim 1, wherein the network metrics comprise at least one of:
    - a byte size of a traffic flow, a time associated with a traffic flow, or an available resource of a node in the network.

9. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the network interfaces and configured to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  receive a first plurality of measurements for network metrics captured during a first time period;
  
  determine a first set of correlations between the network metrics using the first plurality of measurements captured during the first time period;
  
  receive a second plurality of measurements for the network metrics captured during a second time period;
  
  determine a second set of correlations between the network metrics using the second plurality of measurements captured during the second time period; and
  
  identify a difference between the first and second sets of correlations between the network metrics as a network anomaly.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus as in claim 9, wherein the process when executed is further operable to:
    - generate an alert indicative of the network anomaly.
  - 11. The apparatus as in claim 9, wherein the process when executed is further operable to:
    - project the first and second pluralities of measurements onto one or more hyperplanes that each comprise a hash function, to generate measurement signatures; and
      
      use the measurement signatures to determine the first and second sets of correlations.
  - 12. The apparatus as in claim 11, wherein the measurement signatures comprises hashes of the projected first and second pluralities of measurements.
  - 13. The apparatus as in claim 9, wherein the process when executed is further operable to:
    - perform spectral analysis on the first and second pluralities of measurements, to determine the first and second sets of correlations.
  - 14. The apparatus as in claim 9, wherein the process when executed is further operable to:
    - generate persistence diagrams as sets of topological features from the first and second pluralities of measurements; and
      
      compute a distance between the generated persistence diagrams.
  - 15. The apparatus as in claim 14, wherein the topological features comprise clusters and holes of one or more manifolds in which measurements from the first or second pluralities of measurements are data points in the one or more manifolds.
  - 16. The apparatus as in claim 9, wherein the network metrics comprise at least one of:
    - a byte size of a traffic flow, a time associated with a traffic flow, or an available resource of a node in the network.

17. A tangible, non-transitory, computer-readable medium storing program instructions that cause a device in a network to execute a process comprising:
- receiving a first plurality of measurements for network metrics captured during a first time period;
  
  determining a first set of correlations between the network metrics using the first plurality of measurements captured during the first time period;
  
  receiving a second plurality of measurements for the network metrics captured during a second time period;
  
  determining a second set of correlations between the network metrics using the second plurality of measurements captured during the second time period; and
  
  identifying a difference between the first and second sets of correlations between the network metrics as a network anomaly.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable medium as in claim 17, wherein the process further comprises:
    - generating an alert indicative of the network anomaly.
  - 19. The computer-readable medium as in claim 17, wherein the process further comprises:
    - performing spectral analysis on the first and second pluralities of measurements, to determine the first and second sets of correlations.
  - 20. The computer-readable medium as in claim 17, wherein the process further comprises:
    - using locality-sensitive hashing to identify the network anomaly.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Huang, Xinyuan, Ranjan, Sarvesh, Zhang, Olivia, Udupi, Yathiraj B., Dutta, Debojyoti

Granted Patent

US 10,333,958 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0631   using root cause analysis; ...

H04L 41/16   using machine learning or a...

H04L 43/04   Processing captured monitor...

H04L 43/08   Monitoring or testing based...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/162   at the data link layer

MULTI-DIMENSIONAL SYSTEM ANOMALY DETECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

41 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MULTI-DIMENSIONAL SYSTEM ANOMALY DETECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links