Systems, apparatus, and methods for network data analysis

US 8,935,383 B2
Filed: 03/31/2011
Issued: 01/13/2015
Est. Priority Date: 12/31/2010
Status: Active Grant

First Claim

Patent Images

1. A method for detecting an anomaly on a computer network comprising:

generating a time series of network traffic values, wherein each value of the time series of network traffic values comprises a total number of domain name system (DNS) requests made to a DNS server to resolve each DNS request divided by a predetermined time interval;

generating a first variance by dividing a sum of the network traffic values of time entries corresponding to a first time-window by the network traffic value of the time series for the time entry;

generating a second variance by dividing a sum of the network traffic values of time entries corresponding to a second time-window by the network traffic value of the time series for the time entry;

calculating a deviation score for at least one time entry in the time series by dividing the second variance by the first variance;

detecting an anomaly at the at least one time entry based on the deviation score;

identifying a first group of IP addresses corresponding to the first time-window that corresponds to the at least one time entry where the anomaly occurred;

identifying a second group of IP addresses corresponding to the second time-window that corresponds to the at least one time entry where the anomaly occurred; and

identifying a third group of IP addresses by comparing the first group of IP addresses to the second group of IP addresses for determining whether one or more of the IP addresses in the third group is responsible for the anomaly.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are disclosed for analyzing network traffic data to detect anomalies in the data and determine their causes. In one implementation, a system includes a processor and a memory. The memory stores instructions that cause the processor to generate a time series of network traffic values. The processor calculates deviation scores for time entries within the time series and detects anomalies in the time series by comparing the deviation score to a predetermined range. If the processor detects an anomaly, it may determine a list of IP addresses of computers on the network that may have caused the anomaly.

Citations

19 Claims

1. A method for detecting an anomaly on a computer network comprising:
- generating a time series of network traffic values, wherein each value of the time series of network traffic values comprises a total number of domain name system (DNS) requests made to a DNS server to resolve each DNS request divided by a predetermined time interval;
  
  generating a first variance by dividing a sum of the network traffic values of time entries corresponding to a first time-window by the network traffic value of the time series for the time entry;
  
  generating a second variance by dividing a sum of the network traffic values of time entries corresponding to a second time-window by the network traffic value of the time series for the time entry;
  
  calculating a deviation score for at least one time entry in the time series by dividing the second variance by the first variance;
  
  detecting an anomaly at the at least one time entry based on the deviation score;
  
  identifying a first group of IP addresses corresponding to the first time-window that corresponds to the at least one time entry where the anomaly occurred;
  
  identifying a second group of IP addresses corresponding to the second time-window that corresponds to the at least one time entry where the anomaly occurred; and
  
  identifying a third group of IP addresses by comparing the first group of IP addresses to the second group of IP addresses for determining whether one or more of the IP addresses in the third group is responsible for the anomaly.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, wherein the deviation score is about 0.5 to 1.5.
  - 3. The method according to claim 1, wherein the first time-window is larger than the second time-window.
  - 4. The method according to claim 3, wherein identifying the third group of IP addresses includes:
    - identifying, as the third group of IP addresses, the IP addresses that were included in the second group of IP addresses but were not included in a part of the first group of IP addresses corresponding to a part in the first time-window that does not overlap the second time-window, if the deviation score is greater than 1.5.
  - 5. The method according to claim 4, further comprising:
    - instructing one or more servers on the computer network not to process request from the one or more IP addresses included in the third group of IP addresses.
  - 6. The method according to claim 3, wherein identifying the third group of IP addresses includes:
    - identifying, as the third group of IP addresses, the IP addresses that were included in the first group of IP addresses but not included in the second group of IP addresses, if the deviation score is less than 0.5.
  - 7. The method according to claim 1, wherein the identifying the third group of IP addresses further comprising identifying the third group of IP addresses that have stopped making network requests indicated by a deviation score less than 0.5, wherein the deviation score less than 0.5 indicates that there has been a decrease in an amount of network traffic in the small time-window.
  - 8. The method according to claim 1, wherein the identifying the third group of IP addresses further comprising identifying the third group of IP addresses that have started making network requests indicated by a deviation score greater than 1.5, wherein the deviation score greater than 1.5 indicates that there has been an increase in an amount of network traffic in the small time-window.

9. A network data analysis system for detecting an anomaly on a computer network comprising:
- a processor; and
  
  a memory coupled to the processor, the memory storing instructions to direct the processor to perform operations comprising;
  
  generating a time series of network traffic values, wherein each value of the time series of network traffic values comprises a total number of domain name system (DNS) requests made to a DNS server to resolve each DNS request divided by a predetermined time interval;
  
  generating a first variance by dividing a sum of the network traffic values of time entries corresponding to a first time-window by the network traffic value of the time series for the time entry;
  
  generating a second variance by dividing a sum of the network traffic values of time entries corresponding to a second time-window by the network traffic value of the time series for the time entry;
  
  calculating a deviation score for at least one time entry in the time series by dividing the second variance by the first variance;
  
  detecting an anomaly at the at least one time entry based on the deviation score;
  
  identifying a first group of IP addresses corresponding to the first time-window that corresponds to the at least one time entry where the anomaly occurred;
  
  identifying a second group of IP addresses corresponding to the second time-window that corresponds to the at least one time entry where the anomaly occurred; and
  
  identifying a third group of IP addresses by comparing the first group of IP addresses to the second group of IP addresses for determining whether one or more of the IP addresses in the third group is responsible for the anomaly.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The network data analysis system according to claim 9, wherein identifying the third group of IP addresses includes:
    - identifying, as the third group of IP addresses, the IP addresses that were included in the second group of IP addresses but were not included in a part of the first group of IP addresses corresponding to a part in the first time-window that does not overlap the second time-window, if the deviation score is greater than 1.5.
  - 11. The network data analysis system according to claim 10, the operations performed by the processor further comprising:
    - instructing one or more servers on the computer network not to process requests from the one or more IP addresses included in the third group of IP addresses.
  - 12. The network data analysis system according to claim 9, wherein the identifying the third group of IP addresses further comprising identifying the third group of IP addresses that have stopped making network requests indicated by a deviation score less than 0.5, wherein the deviation score less than 0.5 indicates that there has been a decrease in an amount of network traffic in the small time-window.
  - 13. The network data analysis system according to claim 9, wherein the identifying the third group of IP addresses further comprising identifying the third group of IP addresses that have started making network requests indicated by a deviation score greater than 1.5, wherein the deviation score greater than 1.5 indicates that there has been an increase in an amount of network traffic in the small time-window.

14. A computer-readable storage device storing instructions for analyzing network data, the instructions causing one or more computer processors to perform operations, comprising:
- generating a time series of network traffic values, wherein each value of the time series of network traffic values comprises a total number of domain name system (DNS) requests made to a DNS server to resolve each DNS request divided by a predetermined time interval;
  
  generating a first variance by dividing a sum of the network traffic values of time entries corresponding to a first time-window by the network traffic value of the time series for the time entry;
  
  generating a second variance by dividing a sum of the network traffic values of time entries corresponding to a second time-window by the network traffic value of the time series for the time entry;
  
  calculating a deviation score for at least one time entry in the time series by dividing the second variance by the first variance;
  
  detecting an anomaly at the at least one time entry based on the deviation score;
  
  identifying a first group of IP addresses corresponding to the first time-window that corresponds to the at least one time entry where the anomaly occurred;
  
  identifying a second group of IP addresses corresponding to the second time-window that corresponds to the at least one time entry where the anomaly occurred; and
  
  identifying a third group of IP addresses by comparing the first group of IP addresses to the second group of IP addresses for determining whether one or more of the IP addresses in the third group is responsible for the anomaly.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computer-readable storage device according to claim 14, wherein identifying the third group of IP addresses includes:
    - identifying, as the third group of IP addresses, the IP addresses that were included in the second group of IP addresses but were not included in a part of the first group of IP addresses corresponding to a part in the first time-window that does not overlap the second time-window, if the deviation score is greater than 1.5.
  - 16. The computer-readable storage device according to claim 15, the instructions further causing the one or more computer processors to:
    - instruct one or more servers on the computer network not to process requests from the one or more IP addresses included in the third group of IP addresses.
  - 17. The computer-readable storage device according to claim 14, wherein identifying the third group of IP addresses includes:
    - identifying, as the third group of IP addresses, the IP addresses that were included in the first group of IP addresses but not included in the second group of IP addresses, if the deviation score is less than 0.5.
  - 18. The computer-readable storage device according to claim 14, wherein the identifying the third group of IP addresses further comprising identifying the third group of IP addresses that have stopped making network requests indicated by a deviation score less than 0.5, wherein the deviation score less than 0.5 indicates that there has been a decrease in an amount of network traffic in the small time-window.
  - 19. The computer-readable storage device according to claim 14, wherein the identifying the third group of IP addresses further comprising identifying the third group of IP addresses that have started making network requests indicated by a deviation score greater than 1.5, wherein the deviation score greater than 1.5 indicates that there has been an increase in an amount of network traffic in the small time-window.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
Rodriguez, John
Primary Examiner(s)
Dharia, Rupal
Assistant Examiner(s)
Chacko, Joe

Application Number

US13/077,550
Publication Number

US 20120173710A1
Time in Patent Office

1,384 Days
Field of Search

709223-225
US Class Current

709/224
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

Systems, apparatus, and methods for network data analysis

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Systems, apparatus, and methods for network data analysis

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links