Anomaly detection systems for a computer network
First Claim
1. A network server, comprising:
- a processor;
memory storing executable instructions that, when executed by the processor, perform a method for detecting anomalous traffic in a data stream, said method comprising steps of;
a) generating a baseline value corresponding to non-anomalous data in the data stream;
b) generating a first test value based on current data of the data stream;
c) adjusting the baseline value based on the first test value; and
d) triggering an anomaly alarm when the first test value varies from the baseline by at least a predetermined value,wherein step a) comprises steps of;
i) initializing parameters using the formulas;
μ
1=X1
S1=S2= . . . =SN=1
Var1=MinSD2 where N represents a number of intervals per cycle, MinSD>
0, and X represents a data point, andii) generating the baseline by evaluating the formulas;
1 Assignment
0 Petitions
Accused Products
Abstract
Methodologies and systems for detecting an anomaly in a flow of data or data stream are described herein. To detect an anomaly, an anomaly detection server may create a baseline based on historical or other known non-anomalous data within the data stream. The anomaly detection server then generates one or more test values based on current data in the data stream, and compares the test value(s) to the baseline to determine whether they vary by more than a predetermined amount. If the deviation exceeds the predetermined amount, an alarm is triggered. The anomaly detection server may continually adjust the baseline based on the current data in the data stream, and may renormalize the baseline periodically if desired or necessary.
55 Citations
6 Claims
-
1. A network server, comprising:
-
a processor; memory storing executable instructions that, when executed by the processor, perform a method for detecting anomalous traffic in a data stream, said method comprising steps of; a) generating a baseline value corresponding to non-anomalous data in the data stream; b) generating a first test value based on current data of the data stream; c) adjusting the baseline value based on the first test value; and d) triggering an anomaly alarm when the first test value varies from the baseline by at least a predetermined value, wherein step a) comprises steps of; i) initializing parameters using the formulas;
μ
1=X1
S1=S2= . . . =SN=1
Var1=MinSD2where N represents a number of intervals per cycle, MinSD>
0, and X represents a data point, andii) generating the baseline by evaluating the formulas; - View Dependent Claims (2, 3, 4, 5, 6)
-
Specification
-
- Resources
-
Current AssigneeAT&T Intellectual Property II LP (AT&T, Inc.)
-
Original AssigneeAT&T Intellectual Property II LP (AT&T, Inc.)
-
InventorsLiu, Danielle, Futamura, Kenichi
-
Primary Examiner(s)Moe; Aung S
-
Assistant Examiner(s)RIYAMI, ABDULLAH A
-
Application NumberUS11/275,356Time in Patent Office1,742 DaysField of Search370/229, 370/230, 370/230.1, 370/241, 370/242, 370/243, 370/244, 370/245, 370/246, 370/247, 370/252, 709/220, 709/223, 709/225US Class Current370/242CPC Class CodesH04L 63/1416 Event detection, e.g. attac...
