Detecting outliers in network traffic time series
First Claim
Patent Images
1. A computer program product residing on a non-transitory computer readable medium for intrusion detection, the computer program product comprising instructions for causing a processor to:
- for each of a plurality of multiple different network traffic metrics,generate a forecast of network traffic using a model, the forecast being based on previously observed network traffic;
generate a prediction interval that extends above and below the forecast of the network traffic, the prediction interval being based on previously observed deviations from predicted network traffic;
compare observed network traffic to the prediction interval;
identify an outlier for the metric if the observed network traffic is outside of the prediction interval during a time period;
compute a count of outliers for the metric that are identified during the time period; and
identify an anomaly in network traffic for the metric only when the computed count of outliers identified for the metric during the time period is greater than or equal to two and the computed count of outliers identified for the metric during the time period exceeds an anomaly threshold for the metric that is greater than or equal to one; and
merge anomalies for each of the multiple different network traffic metrics to identify a single event.
21 Assignments
0 Petitions
Accused Products
Abstract
According to an aspect of the invention, a system and method is configured to detect time series outliers in network traffic.
45 Citations
19 Claims
-
1. A computer program product residing on a non-transitory computer readable medium for intrusion detection, the computer program product comprising instructions for causing a processor to:
-
for each of a plurality of multiple different network traffic metrics, generate a forecast of network traffic using a model, the forecast being based on previously observed network traffic; generate a prediction interval that extends above and below the forecast of the network traffic, the prediction interval being based on previously observed deviations from predicted network traffic; compare observed network traffic to the prediction interval; identify an outlier for the metric if the observed network traffic is outside of the prediction interval during a time period; compute a count of outliers for the metric that are identified during the time period; and identify an anomaly in network traffic for the metric only when the computed count of outliers identified for the metric during the time period is greater than or equal to two and the computed count of outliers identified for the metric during the time period exceeds an anomaly threshold for the metric that is greater than or equal to one; and merge anomalies for each of the multiple different network traffic metrics to identify a single event. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An anomaly detection system, comprising:
-
a computing device configured to; for each of a plurality of multiple different network traffic metrics, generate a forecast of network traffic using a model, the forecast being based on previously observed network traffic; generate a prediction interval that extends above and below the forecast of the network traffic, the prediction interval being based on previously observed deviations from predicted network traffic; compare observed network traffic to the prediction interval; identify an outlier for the metric if the observed network traffic is outside of the prediction interval during a time period; compute a count of outliers for the metric that are identified during the time period; and identify an anomaly in network traffic for the metric only when the computed count of outliers identified for the metric during the time period is greater than or equal to two and the computed count of outliers identified for the metric during the time period exceeds an anomaly threshold for the metric that is greater than or equal to one; and merge identified anomalies for each of the multiple different network traffic metrics to identify a single event. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A computer implemented method comprising:
-
for each of a plurality of multiple different network traffic metrics, generating a forecast of network traffic using a model, the forecast being based on previously observed network traffic; generating a prediction interval that extends above and below the forecast of the network traffic, the prediction interval being based on previously observed deviations from predicted network traffic; comparing observed network traffic to the prediction interval; identifying, by computer, an outlier for the metric if the observed network traffic is outside of the prediction interval during a time period; computing a count of outliers for the metric that are identified during the time period; and identifying an anomaly for the metric in network traffic only when the computed count of outliers for the metric identified during the time period is greater than or equal to two and the computed count of outliers identified for the metric during the time period exceeds an anomaly threshold for the metric that is greater than or equal to one; and merging identified anomalies for each of the multiple different network traffic metrics to identify a single event. - View Dependent Claims (16, 17, 18, 19)
-
Specification