Vector-based anomaly detection

US 8,683,591 B2
Filed: 02/09/2011
Issued: 03/25/2014
Est. Priority Date: 11/18/2010
Status: Active Grant

First Claim

Patent Images

1. A method of detecting anomalous behavior of a network fabric, the method comprising:

characterizing a nominal behavior of a fabric as a baseline vector of behavior metrics having nominal values, the fabric comprising networked nodes, wherein the baseline vector comprises at least two correlated behavior metrics;

establishing anomaly detection criteria as a function of a variation from the baseline vector, the detection criteria defining a fabric anomalous behavior;

disaggregating the anomaly detection criteria into a plurality of anomaly criterion;

disseminating the plurality of anomaly criterion among nodes of the fabric;

calculating, by the receiving nodes, anomaly criterion statuses at each receiving node as a function the node'"'"'s anomaly criterion and a measured vector of behavior metrics;

aggregating anomaly criterion statuses from at least some of the receiving nodes;

detecting satisfaction of the anomaly detection criteria as a function of the anomaly criterion statuses indicating occurrence of the fabric anomalous behavior relative to the nominal behavior; and

notifying a manager of the fabric anomalous behavior.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods of detecting anomalous behaviors associated with a fabric are presented. A network fabric can comprise many fungible networking nodes, preferably hybrid-fabric apparatus capable of routing general purpose packet data and executing distributed applications. A nominal behavior can be established for the fabric and represented by a baseline vector of behavior metrics. Anomaly detection criteria can be derived as a function of a variation from the baseline vector based on measured vectors of behavior metrics. Nodes in the fabric can provide a status for one or more anomaly criterion, which can be aggregated to determine if an anomalous behavior has occurred, is occurring, or is about to occur.

63 Citations

View as Search Results

19 Claims

1. A method of detecting anomalous behavior of a network fabric, the method comprising:
- characterizing a nominal behavior of a fabric as a baseline vector of behavior metrics having nominal values, the fabric comprising networked nodes, wherein the baseline vector comprises at least two correlated behavior metrics;
  
  establishing anomaly detection criteria as a function of a variation from the baseline vector, the detection criteria defining a fabric anomalous behavior;
  
  disaggregating the anomaly detection criteria into a plurality of anomaly criterion;
  
  disseminating the plurality of anomaly criterion among nodes of the fabric;
  
  calculating, by the receiving nodes, anomaly criterion statuses at each receiving node as a function the node'"'"'s anomaly criterion and a measured vector of behavior metrics;
  
  aggregating anomaly criterion statuses from at least some of the receiving nodes;
  
  detecting satisfaction of the anomaly detection criteria as a function of the anomaly criterion statuses indicating occurrence of the fabric anomalous behavior relative to the nominal behavior; and
  
  notifying a manager of the fabric anomalous behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein the step of establishing anomaly detection criteria includes simulating an anomalous behavior within the fabric while the fabric is active to derive the variation from the baseline vector.
  - 3. The method of claim 1, wherein the step of establishing anomaly detection criteria includes modeling an anomalous behavior within the fabric while the fabric is active to derive the variation from the baseline vector by constructing a logical representation of the fabric by using nodes of the fabric.
  - 4. The method of claim 3, wherein the step of modeling the anomalous behavior includes running a live drill.
  - 5. The method of claim 1, further comprising collecting fabric-level metrics as a portion of the measured behaviors metrics.
  - 6. The method of claim 1, further comprising collecting apparatus-level metrics as a portion of the measured behaviors metrics.
  - 7. The method of claim 6, further comprising collecting component-level metrics as a portion of the measured behaviors metrics.
  - 8. The method of claim 1, further comprising collecting application metrics as a portion of the measured behaviors metrics.
  - 9. The method of claim 1, further comprising collecting external metrics as a portion of the measured behaviors metrics.
  - 10. The method of claim 1, further comprising at least some of the receiving nodes calculating their anomaly criterion status as a function of a trend of the measured behavior metrics.
  - 11. The method of claim 1, further comprising generating a leading indicator of a likelihood that anomalous behavior is about to occur as a function of the aggregated anomaly criterion statuses.
  - 12. The method of claim 11, where the step of generating the leading indicator includes calculating a likelihood of the anomalous behavior occurring while the anomaly detection criteria remains unsatisfied.
  - 13. The method of claim 1, further comprising identifying an anomaly type of the anomalous behavior based on the anomaly criterion statuses.
  - 14. The method of claim 13, further comprising automatically responding to the anomalous behavior according to a prior defined action based at least in part on the anomaly type.
  - 15. The method of claim 1, further comprising migrating anomalous traffic to a monitored data channel within the fabric.
  - 16. The method of claim 1, further comprising updating the anomaly detection criteria according to a known change in the fabric and sending the receiving nodes correspondingly updated anomaly criterion.
  - 17. The method of claim 16, wherein the known change comprises an expected behavior change vector reflecting expected behavior changes due to deployment of an application within the fabric.
  - 18. The method of claim 1, further comprising storing a history of the anomaly criterion statuses in a black box memory.
  - 19. The method of claim 18, wherein the step of storing the history includes migrating the history from a first one of the networking nodes to the black box memory housed within a second, different one of the networking nodes in response to the anomaly criterion statuses satisfying a migration triggering condition.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nant Holdings IP, LLC (NantWorks, LLC)
Original Assignee
Nant Holdings IP, LLC (NantWorks, LLC)
Inventors
Wittenschlaeger, Thomas
Primary Examiner(s)
Nalven, Andrew L
Assistant Examiner(s)
RUPRECHT, CHRISTOPHER S

Application Number

US13/024,176
Publication Number

US 20120131674A1
Time in Patent Office

1,140 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/18   using different networks or...

Vector-based anomaly detection

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Vector-based anomaly detection

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links