Method and apparatus for rapid location of anomalies in IP traffic logs
First Claim
Patent Images
1. A method for identifying an anomaly, comprising:
- receiving at least one unit of data, where said at least one unit of data is associated with an event;
monitoring at least one object associated with said event;
ranking said at least one object with a ranking on a rank list;
identifying, via a processor, an anomaly in accordance with a movement of said at least one object within said rank list, wherein said movement comprises at least one of;
a rate of entry of said at least one object to said rank list, a rate of exit of said at least one object from said rank list, or a rate of movement of said at least one object between rankings of said rank list; and
comparing said ranking of said at least one object to data collected for siblings or cousins.
1 Assignment
0 Petitions
Accused Products
Abstract
An efficient method and apparatus for rapidly detecting anomalies from massive data streams is disclosed. In one embodiment, the method enables near real time detection of anomaly behavior in networks. The invention rapidly identifies the addresses that require further analysis and reduces the cost of monitoring, the cost of managing the security of the network as well as reduces the time needed to initiate mitigation steps.
17 Citations
3 Claims
-
1. A method for identifying an anomaly, comprising:
-
receiving at least one unit of data, where said at least one unit of data is associated with an event; monitoring at least one object associated with said event; ranking said at least one object with a ranking on a rank list; identifying, via a processor, an anomaly in accordance with a movement of said at least one object within said rank list, wherein said movement comprises at least one of;
a rate of entry of said at least one object to said rank list, a rate of exit of said at least one object from said rank list, or a rate of movement of said at least one object between rankings of said rank list; andcomparing said ranking of said at least one object to data collected for siblings or cousins.
-
-
2. A computer-readable medium having stored thereon a plurality of instructions, the plurality of instructions including instructions which, when executed by a processor, cause the processor to perform steps of a method for identifying an anomaly, comprising:
-
receiving at least one unit of data, where said at least one unit of data is associated with an event; monitoring at least one object associated with said event; ranking said at least one object with a ranking on a rank list; identifying an anomaly in accordance with a movement of said at least one object within said rank list, wherein said movement comprises at least one of;
a rate of entry of said at least one object to said rank list, a rate of exit of said at least one object from said rank list, or a rate of movement of said at least one object between rankings of said rank list; andcomparing said ranking of said at least one object to data collected for siblings or cousins.
-
-
3. An apparatus for identifying an anomaly, comprising:
-
means for receiving at least one unit of data, where said at least one unit of data is associated with an event; means for monitoring at least one object associated with said event; means for ranking said at least one object with a ranking on a rank list; means for identifying an anomaly in accordance with a movement of said at least one object within said rank list, wherein said movement comprises at least one of;
a rate of entry of said at least one object to said rank list, a rate of exit of said at least one object from said rank list, or a rate of movement of said at least one object between rankings of said rank list; andmeans for comparing said ranking of said at least one object to data collected for siblings or cousins.
-
Specification