Network monitoring of behavior probability density

US 8,639,797 B1
Filed: 07/25/2008
Issued: 01/28/2014
Est. Priority Date: 08/03/2007
Status: Active Grant

First Claim

Patent Images

1. A method, including steps ofmaintaining, at a network monitoring device, information regarding long-term historical activity of a network;

maintaining information regarding short-term activity of that network;

receiving information regarding recent activity of that network;

comparing that information regarding recent activity with that information regarding long-term activity, and determining the presence of abnormal activity in response to a result of said steps of comparing recent with long-term activity;

comparing that information regarding recent activity with that information regarding short-term activity, determining the presence of changes in network activity in response to a result of said steps of comparing recent with short-term activity, and updating that short-term activity if and only if that information regarding recent activity is within normal behavior for that network;

comparing that information regarding short-term activity with that information regarding long-term activity, and determining the presence of changes in network activity in response to a result of said steps of comparing short-term with long-term activity, and updating that long-term activity using that recent activity if and only if that information regarding recent activity is within normal behavior for that network.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network monitoring system maintains both information regarding historical activity of a network, and information regarding emergent activity of the network. Comparison of historical activity of the network with emergent activity of the network allows the system to determine whether network activity is changing over time. The network monitoring system maintains data structures representing a p.d.f. for observable values of network parameters. Recent activity of the network can be compared with both the p.d.f. for historical activity and for emergent activity to aid in determining whether that recent activity is within the realm of normal, and whether network activity is changing over time. The network monitoring system adjusts that information regarding historical activity of a network in response to emergent activity of that network. The network monitoring device determines information regarding time-dependent activity of that network in response to spectral analysis regarding historical activity of that network.

170 Citations

View as Search Results

22 Claims

1. A method, including steps ofmaintaining, at a network monitoring device, information regarding long-term historical activity of a network;
- maintaining information regarding short-term activity of that network;
  
  receiving information regarding recent activity of that network;
  
  comparing that information regarding recent activity with that information regarding long-term activity, and determining the presence of abnormal activity in response to a result of said steps of comparing recent with long-term activity;
  
  comparing that information regarding recent activity with that information regarding short-term activity, determining the presence of changes in network activity in response to a result of said steps of comparing recent with short-term activity, and updating that short-term activity if and only if that information regarding recent activity is within normal behavior for that network;
  
  comparing that information regarding short-term activity with that information regarding long-term activity, and determining the presence of changes in network activity in response to a result of said steps of comparing short-term with long-term activity, and updating that long-term activity using that recent activity if and only if that information regarding recent activity is within normal behavior for that network.
- View Dependent Claims (2, 3, 4, 6, 19)
- - 2. A method as in claim 1, including steps ofdetermining that said recent activity is within normal behavior for that network only when said recent activity is within a selected range of difference from that long-term activity.
  - 3. A method as in claim 1, including steps ofmaintaining a first set of information about that short-term activity, without updating that first set of information for a selected period of time;
    - maintaining a second set of information about that short-term activity, while updating that second set of information promptly upon those steps of receiving information about recent activity;
      
      wherein that first set of information about short-term activity and that second set of information about short-term activity differ by whether that information about recent activity is used; and
      
      replacing that first set of information with that second set of information if and only if that information about recent activity indicates recent activity that is within normal behavior for that network.
  - 4. A method as in claim 3, whereinthat first set of information indicates a last-known-good set of information about emergent activity of that network, and that second set of information includes an in-construction set of information about emergent activity of that network;
    - andat a time for updating that long-term activity, using that last-known-good set of information if and only if that recent activity is not within normal behavior for that network, and using that in-construction set of information if and only if that in-construction set of information indicates that recent activity is within normal behavior for that network.
  - 6. A method as in claim 4, including steps ofwaiting a selected period of time after using that last-known-good set of information before starting to start a next in-construction set of information.
  - 19. The method of claim 1 further including the steps of:
    - when said steps of determining the presence of abnormal activity indicate lack of abnormal activity,replacing a portion of the long-term activity with the short-term activity, andreplacing the short-term activity with the recent network activity.

5. A method, including steps ofmaintaining, at a network monitoring device, information regarding historical activity of a network;
- maintaining information regarding emergent activity of that network;
  
  comparing recent network activity to a predetermined parameter and the emergent activity, and determining the presence of changes in network activity in response to a result of said steps of comparing;
  
  also comparing recent network activity to the historical activity, and also determining the presence of abnormal activity in response to said steps of also comparing;
  
  if and only if said steps of also comparing recent network activity to the historical activity indicate lack of abnormal activity, adjusting that information regarding emergent activity of that network in response to the comparing; and
  
  if and only if said steps of also comparing recent network activity to the historical activity indicate lack of abnormal activity, adjusting that information regarding historical activity of that network in response to that information regarding emergent activity of that network.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 20, 22)
- - 7. A method as in claim 5, wherein those steps of maintaining information regarding historical activity of that network are responsive to a relatively long-term review of network behavior.
  - 8. A method as in claim 5, including steps ofpausing those steps of adjusting that information regarding emergent activity of that network in response to a result of the steps of also comparing and also determining.
  - 9. A method as in claim 8, wherein those steps of also determining are responsive to whether that recent activity includes observable values too high or too low for consistency with historical activity of the network.
  - 10. A method as in claim 8, wherein those steps of also determining are responsive to whether that recent activity includes observable values too unlikely for consistency with historical activity of the network.
  - 11. A method as in claim 5,wherein those steps of adjusting that information regarding historical activity of that network in response to that information regarding emergent activity of that networkinclude steps of adaptively modifying that information regarding historical activity of that network in response to that information regarding emergent activity of that network.
  - 12. A method as in claim 11, wherein the steps of adaptively modifying include an adaptive modification parameter Λ
    - having a value between approximately 0.5 and 1.0.
  - 20. The method of claim 5 wherein the predetermined parameter is a threshold indicating deviation from an acceptable value.
  - 22. A method as in claim 5, including steps ofwhen said steps of also comparing and also determining indicate abnormal activity, refraining from adjusting that information regarding emergent activity of that network in response to the comparing;
    - andwhen said steps of also comparing and also determining indicate abnormal activity, refraining from adjusting that information regarding historical activity of that network in response to that information regarding emergent activity of that network.

13. A method, including steps ofmaintaining, at a network monitoring device, information regarding relatively long-term historical activity of a network;
- maintaining information regarding short-term activity of said network;
  
  receiving a value indicative of recent network activity;
  
  comparing said recent network activity to said short-term activity and a predetermined threshold value, determining the presence of changes in network activity in response to said steps of comparing recent activity with short-term activity;
  
  comparing said recent network activity to said long-term activity, and determining the presence of abnormal activity in response to said steps of comparing recent activity with long-term activity;
  
  maintaining a history of the values in response to the steps of comparing recent activity with long-term activity;
  
  if and only if said steps of determining the presence of abnormal activity indicate lack of abnormal activity, adjusting that information regarding the long-term historical activity of a network in response to said short-term activity of that network; and
  
  determining information regarding time-dependent activity of that network in response to that information regarding long-term historical activity of that network.
- View Dependent Claims (14, 15, 16, 17, 18, 21)
- - 14. A method as in claim 13, wherein those steps of determining the presence of changes in network activity include spectral analysis.
  - 15. A method as in claim 13, wherein those steps of determining the presence of changes in network activity include interpreting a result of a Fast Fourier Transform.
  - 16. A method as in claim 15, wherein those steps of interpreting include determining a magnitude for each frequency result of the Fast Fourier Transform and sorting the magnitudes in rank order.
  - 17. A method as in claim 16, wherein those steps of sorting include determining if there are other frequencies for which the magnitude of the frequency coefficient is substantial.
  - 18. A method as in claim 17, wherein those steps of determining if there are other frequencies include determining if there is periodicity to the magnitudes.
  - 21. The method of claim 13 wherein the threshold value is a threshold indicating allowable deviation from an acceptable value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Virtual Instruments Worldwide, Inc.
Original Assignee
Xangati Incorporated (Virtana Corp.)
Inventors
Pan, Xiaohong, Kakatkar, Kishor, Sanders, Derek, Jagannathan, Rangaswamy, Liu, Jing, Lee, Rosanna
Primary Examiner(s)
DOAN, DUYEN MY

Application Number

US12/180,243
Time in Patent Office

2,013 Days
Field of Search

709223-226
US Class Current

709/224
CPC Class Codes

H04L 41/142   using statistical or mathem...

H04L 43/04   Processing captured monitor...

H04L 43/062   related to network traffic

H04L 43/12   Network monitoring probes

Network monitoring of behavior probability density

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

170 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Network monitoring of behavior probability density

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

170 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links