Anomaly detection and identification using traffic steering and real-time analytics
First Claim
1. A method comprising:
- monitoring, by a first server, a plurality of packets associated with traffic that is traveling to or from a service provider network associated with the first server;
obtaining, by the first server and based on monitoring the plurality of packets, traffic metrics associated with the plurality of packets with respect to one or more network layers;
detecting, by the first server, an anomaly associated with the plurality of packets based on a portion of the traffic metrics associated with at least one network layer of the one or more network layers;
sending, by the first server and to a second server associated with the service provider network, a request for one or more packets, of the plurality of packets, that correspond to the anomaly;
receiving, by the first server and from the second server, copies of the one or more packets after the second server generates the copies of the one or more packets by replicating the one or more packets based on the request,the one or more packets being transmitted to a destination device by the second server;
analyzing, by the first server, each packet, of the copies of the one or more packets, to obtain information associated with the anomaly; and
sending, by the first server, a notification that indicates that the anomaly has been detected,the notification including at least one of;
the traffic metrics associated with the plurality of packets,the copies of the one or more packets, orthe information associated with the anomaly.
1 Assignment
0 Petitions
Accused Products
Abstract
A system, associated with a service provider network, is configured to monitor traffic, that is traveling to or from the service provider network, to obtain traffic metrics that correspond to a collection of network layers, where the network layers; process the traffic metrics with respect to each of the network layers to identify an anomaly, associated with the traffic, that corresponds to at least one of the network layers; send a request for packets associated with the traffic based on the identification of the anomaly; receive copies of the packets associated with the traffic; analyze the copies of the packets to obtain information associated with the anomaly; and send a notification that indicates that the anomaly has been identified, where the notification includes the traffic metrics associated with the traffic or the information associated with the anomaly.
30 Citations
25 Claims
-
1. A method comprising:
-
monitoring, by a first server, a plurality of packets associated with traffic that is traveling to or from a service provider network associated with the first server; obtaining, by the first server and based on monitoring the plurality of packets, traffic metrics associated with the plurality of packets with respect to one or more network layers; detecting, by the first server, an anomaly associated with the plurality of packets based on a portion of the traffic metrics associated with at least one network layer of the one or more network layers; sending, by the first server and to a second server associated with the service provider network, a request for one or more packets, of the plurality of packets, that correspond to the anomaly; receiving, by the first server and from the second server, copies of the one or more packets after the second server generates the copies of the one or more packets by replicating the one or more packets based on the request, the one or more packets being transmitted to a destination device by the second server; analyzing, by the first server, each packet, of the copies of the one or more packets, to obtain information associated with the anomaly; and sending, by the first server, a notification that indicates that the anomaly has been detected, the notification including at least one of; the traffic metrics associated with the plurality of packets, the copies of the one or more packets, or the information associated with the anomaly. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computing device associated with a service provider network, the computing device comprising:
one or more processors configured to; monitor traffic, that is traveling to or from the service provider network, to obtain traffic metrics, associated with the traffic, that corresponds to one or more network layers, the one or more network layers including at least one of a physical layer, a network layer, a transport layer, a session layer, a presentation layer, or an application layer, process the traffic metrics with respect to each of the one or more network layers to identify an anomaly, associated with the traffic, that corresponds to at least one network layer of the one or more network layers, send, to a steering server, a request for packets associated with the traffic based on the anomaly, receive, from the steering server, copies of the packets associated with the traffic after the steering server generates the copies of the packets by replicating the packets based on the request, the packets being transmitted to a destination device by the steering server, analyze the copies of the packets to obtain information associated with the anomaly, and send, to a server device, a notification that indicates that the anomaly has been identified, the notification including; the traffic metrics associated with the traffic, or the information associated with the anomaly. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
20. A server device, associated with a service provider network, comprising:
-
a memory; and a processor configured to; monitor traffic received from or destined for a user device associated with the service provider network, obtain, from the traffic and based on monitoring the traffic, information associated with the traffic that corresponds to one or more network layers associated with the service provider network, determine that an anomaly is associated with the traffic based on the information associated with the traffic and one or more thresholds that corresponds to the one or more network layers, generate a request to retrieve packets associated with the traffic based on determining that the anomaly is associated with the traffic, send the request to a server associated with the service provider network, receive, from the server, copies of the packets after the server generates the copies of the packets by replicating the packets based on the request, the packets being transmitted to a destination device by the server, analyze the copies of the packets to obtain information associated with the anomaly, send, to a network management server associated with the service provider network, a notification that indicates that the anomaly has been detected, the notification including at least one of; the information associated with the traffic, or the information associated with the anomaly. - View Dependent Claims (21, 22, 23, 24, 25)
-
Specification