Anomaly detection for storage traffic in a data center
First Claim
1. A method of detecting anomalies in a storage area network (SAN) comprising at least a network device, a plurality of servers, and a plurality of storage devices accessible by the plurality of servers, the method comprising:
- at the network device, providing an anomaly type and corresponding action to be performed when the anomaly type is detected for traffic received by the network device of the SAN and such received traffic pertains to a particular server of the SAN requesting that data be read to a particular storage device of the SAN or written to the particular storage device of the SAN, wherein the particular server of the SAN is logged into the particular storage device of the SAN;
at the network device, monitoring traffic that is received by the network device sent from the particular server to the particular storage device so as to detect the provided anomaly type in the monitored traffic; and
when the provided anomaly type is detected, performing the corresponding action.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are methods and apparatus for detecting anomalies in a storage area network (SAN). Provided are one or more anomaly type(s) and corresponding actions to be performed when the one or more anomaly types are detected. Traffic in the SAN is then inspected in order to detect the one or more provided anomaly type(s). When a one of the provided one or more anomaly type(s) is detected, one or more of the corresponding action(s) is performed. The provided anomaly type(s) may include one or more of the following: a read or write access pattern anomaly, excessive login or control requests, a bandwidth usage anomaly, a configuration anomaly, and a hardware anomaly. The provided corresponding actions may include logging and/or publishing the detected anomaly, enabling capture of the detected anomaly by an analysis device, re-authentication of a host that is responsible for the anomaly, disable access control for a host that is responsible for the anomaly, rate control of an anomalous link, and shut down of an anomalous link.
-
Citations
39 Claims
-
1. A method of detecting anomalies in a storage area network (SAN) comprising at least a network device, a plurality of servers, and a plurality of storage devices accessible by the plurality of servers, the method comprising:
-
at the network device, providing an anomaly type and corresponding action to be performed when the anomaly type is detected for traffic received by the network device of the SAN and such received traffic pertains to a particular server of the SAN requesting that data be read to a particular storage device of the SAN or written to the particular storage device of the SAN, wherein the particular server of the SAN is logged into the particular storage device of the SAN; at the network device, monitoring traffic that is received by the network device sent from the particular server to the particular storage device so as to detect the provided anomaly type in the monitored traffic; and when the provided anomaly type is detected, performing the corresponding action. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. An apparatus for detecting anomalies in a storage area network (SAN) comprising the apparatus, a plurality of servers, and a plurality of storage devices accessible by the plurality of servers, the apparatus comprising:
-
one or more processors; one or more memory, wherein at least one of the processors and memory are adapted for; at the apparatus, providing an anomaly type and corresponding action to be performed when the anomaly type is detected for traffic received by the apparatus of the SAN and such received traffic pertains to a particular server of the SAN requesting that data be read to a particular storage device of the SAN or written to the particular storage device of the SAN, wherein the particular server of the SAN is logged into the particular storage device of the SAN; at the apparatus, monitoring traffic that is received by the network device sent from the particular server to the particular storage device so as to detect the provided anomaly type in the monitored traffic; and when the provided anomaly type is detected, performing the corresponding action. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
-
-
38. An apparatus for detecting anomalies in a storage area network (SAN) comprising the apparatus, a plurality of servers, and a plurality of storage devices accessible by the plurality of servers, comprising:
-
means for providing an anomaly type and corresponding action to be performed when the anomaly type is detected for traffic received by the apparatus of the SAN and such received traffic pertains to a particular server of the SAN requesting that data be read to a particular storage device of the SAN or written to the particular storage device of the SAN, wherein the particular server of the SAN is logged into the particular storage device of the SAN; means for monitoring traffic that is received by the network device sent from the particular server to the particular storage device so as to detect the provided anomaly type in the monitored traffic; and means for performing the corresponding action when the provided anomaly type is detected.
-
-
39. A storage area network (SAN) system for detecting anomalies, comprising:
-
a plurality of network devices; and a plurality of storage devices which are each accessible by one or more servers through at least one of the network devices, wherein at least a first one of the network devices of the SAN network is operable to; provide an anomaly type and corresponding action to be performed when the anomaly type is detected for traffic received by the first network device and such received traffic pertains to a particular server of the SAN network accessing or initiating access with a particular storage device of the SAN, wherein accessing and initiating access each include the particular server logging into the particular storage device of the SAN; examine traffic that is received by in the first network device sent from the particular server to the particular storage device so as to detect the provided anomaly type in the examined traffic; and when the provided anomaly type is detected, performing the corresponding action.
-
Specification