Event detection/anomaly correlation heuristics

US 8,458,795 B2
Filed: 04/19/2008
Issued: 06/04/2013
Est. Priority Date: 11/04/2002
Status: Active Grant

First Claim

Patent Images

1. A method for detecting conditions in a network, comprising:

finding, by computer, anomalies by analyzing connection patterns, wherein anomalies are differences in connection patterns between hosts relative to some comparison period; and

collecting anomalies into operationally relevant events, wherein an operationally relevant event is a collection of anomalies related to a singular cause, wherein collecting anomalies into events comprises traversing a connection table to identify and correlate anomalies by determining connection patterns that correlate with a particular event class.

View all claims

24 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting network intrusions and other conditions in a network is described. The system includes a plurality of collector devices that are disposed to collect data and statistical information on packets that are sent between nodes on a network. An aggregator device is disposed to receive data and statistical information from the plurality of collector devices. The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node. The aggregator runs processes that determine network events from aggregating of anomalies into network events.

Citations

20 Claims

1. A method for detecting conditions in a network, comprising:
- finding, by computer, anomalies by analyzing connection patterns, wherein anomalies are differences in connection patterns between hosts relative to some comparison period; and
  
  collecting anomalies into operationally relevant events, wherein an operationally relevant event is a collection of anomalies related to a singular cause, wherein collecting anomalies into events comprises traversing a connection table to identify and correlate anomalies by determining connection patterns that correlate with a particular event class.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - sending event reports to an operator.
  - 3. The method of claim 1 further comprising determining event severity.
  - 4. The method of claim 3 wherein the event severity is characterized by at least one of a type, number, and severity of anomalies that led to an identification of the event.
  - 5. The method of claim 1 wherein collecting anomalies, comprises:
    - tracking a moving average that allows collecting anomalies to adapt to slowly changing network conditions.
  - 6. The method of claim 1 wherein collecting anomalies into events comprisestracking a variance of a parameter to allow collecting to account for burstiness in network traffic.
  - 7. The method of claim 1, wherein the connection table includes a first map which maps a first host identifier to a host object, wherein the host object includes a second map which maps a second host identifier to a host-pair record, and wherein the host-pair record includes information about traffic between hosts corresponding to the first and second host identifiers.
  - 8. The method of claim 1, wherein the connection table includes a first map and a second map, wherein the first map maps a host identifier to a host object, wherein the host object includes information about traffic to or from a host corresponding to the host identifier, wherein the second map maps a pair of host identifiers to a host-pair record, and wherein the host-pair record includes information about traffic between hosts corresponding to the pair of host identifiers.

9. A computer program product tangibly stored in a non-transitory computer readable medium for detecting intrusions in a network, comprising instructions for causing a processor to:
- find anomalies by analyzing connection patterns, wherein anomalies are differences in connection patterns between hosts relative to some comparison period; and
  
  collect anomalies into operationally relevant events, wherein an operationally relevant event is a collection of anomalies related to a singular cause, wherein collecting anomalies into events comprises traversing a connection table to identify and correlate anomalies by determining connection patterns that correlate with a particular event class.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The computer program product of claim 9 further comprising instructions to:
    - send event reports to an operator.
  - 11. The computer program product of claim 9 further comprising instructions to:
    - determine event severity.
  - 12. The computer program product of claim 11 wherein event severity is characterized by at least one of a type, number, and severity of anomalies that led to an identification of the event.
  - 13. The computer program product of claim 9 wherein instructions to collect anomalies, further comprises instructions to:
    - track a moving average that allows collecting anomalies to adapt to slowly changing network conditions.
  - 14. The computer program product of claim 9 wherein instructions to collect anomalies into events comprises instructions to:
    - track a variance of a parameter to account for burstiness in network traffic.

15. A device for detecting conditions in a network, comprising:
- circuitry to find anomalies by analyzing connection patterns, wherein anomalies are differences in connection patterns between hosts relative to some comparison period; and
  
  circuitry to collect anomalies into operationally relevant events, wherein an operationally relevant event is a collection of anomalies related to a singular cause, wherein collecting anomalies into events comprises traversing a connection table to identify and correlate anomalies by determining connection patterns that correlate with a particular event class.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The device of claim 15 further comprising:
    - circuitry to send event reports to an operator.
  - 17. The device of claim 15 further comprising circuitry to determine event severity.
  - 18. The device of claim 17 wherein the circuitry characterizes the event severity by at least one of a type, number, and severity of anomalies that led to an identification of the event.
  - 19. The device of claim 15 wherein circuitry to collect anomalies, comprises:
    - circuitry to track a moving average that allows collecting anomalies to adapt to slowly changing network conditions.
  - 20. The device of claim 15 wherein circuitry to collect anomalies into events comprises:
    - circuitry to track a variance of a parameter to account for burstiness in network traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Riverbed Technology Incorporated
Inventors
Weber, Daniel, Gopalan, Prem, Poletto, Massimiliano Antonio
Primary Examiner(s)
Chai, Longbit

Application Number

US12/106,272
Publication Number

US 20100115617A1
Time in Patent Office

1,872 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

Event detection/anomaly correlation heuristics

First Claim

24 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Event detection/anomaly correlation heuristics

First Claim

24 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links