Vector-based anomaly detection

US 9,197,658 B2
Filed: 02/14/2014
Issued: 11/24/2015
Est. Priority Date: 11/18/2010
Status: Active Grant

First Claim

Patent Images

1. A hybrid-fabric apparatus for detecting anomalous behavior of a network fabric comprising a plurality of network nodes, the hybrid-fabric apparatus comprising:

a black box memory configured to store a plurality of behavior metrics; and

an anomaly agent coupled with the black box and configured to;

characterize a nominal behavior of a fabric as a baseline vector comprising at least two correlated behavior metrics selected from the plurality of behavior metrics, the at least two correlated behavior metrics having nominal values,establish anomaly detection criteria as a function of a variation from the baseline vector, the detection criteria defining a fabric anomalous behavior,disaggregate the anomaly detection criteria into a plurality of anomaly criterion,aggregate anomaly criterion statuses from at least some of the plurality of network nodes, each anomaly criterion status being calculated by a network node as a function of the node'"'"'s anomaly criterion and a measured vector of behavior metrics;

detect satisfaction of the anomaly detection criteria as a function of the anomaly criterion statuses indicating occurrence of the fabric anomalous behavior relative to the nominal behavior, andpresent to a user the fabric anomalous behavior.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods of detecting anomalous behaviors associated with a fabric are presented. A network fabric can comprise many fungible networking nodes, preferably hybrid-fabric apparatus capable of routing general purpose packet data and executing distributed applications. A nominal behavior can be established for the fabric and represented by a baseline vector of behavior metrics. Anomaly detection criteria can be derived as a function of a variation from the baseline vector based on measured vectors of behavior metrics. Nodes in the fabric can provide a status for one or more anomaly criterion, which can be aggregated to determine if an anomalous behavior has occurred, is occurring, or is about to occur.

59 Citations

View as Search Results

19 Claims

1. A hybrid-fabric apparatus for detecting anomalous behavior of a network fabric comprising a plurality of network nodes, the hybrid-fabric apparatus comprising:
- a black box memory configured to store a plurality of behavior metrics; and
  
  an anomaly agent coupled with the black box and configured to;
  
  characterize a nominal behavior of a fabric as a baseline vector comprising at least two correlated behavior metrics selected from the plurality of behavior metrics, the at least two correlated behavior metrics having nominal values,establish anomaly detection criteria as a function of a variation from the baseline vector, the detection criteria defining a fabric anomalous behavior,disaggregate the anomaly detection criteria into a plurality of anomaly criterion,aggregate anomaly criterion statuses from at least some of the plurality of network nodes, each anomaly criterion status being calculated by a network node as a function of the node'"'"'s anomaly criterion and a measured vector of behavior metrics;
  
  detect satisfaction of the anomaly detection criteria as a function of the anomaly criterion statuses indicating occurrence of the fabric anomalous behavior relative to the nominal behavior, andpresent to a user the fabric anomalous behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The hybrid-fabric apparatus of claim 1, wherein the anomaly agent is further configured to establish the anomaly detection criteria by stimulating an anomalous behavior within the fabric while the fabric is active to derive the variation from the baseline vector.
  - 3. The hybrid-fabric apparatus of claim 1, wherein the anomaly agent is further configured to establish anomaly detection criteria by modeling an anomalous behavior within the fabric while the fabric is active to derive the variation from the baseline vector by constructing a logical representation of the fabric by using nodes of the fabric.
  - 4. The hybrid-fabric apparatus of claim 3, wherein the anomaly agent is further configured to model the anomalous behavior by running a live drill.
  - 5. The hybrid-fabric apparatus of claim 1, wherein the anomaly agent is further configured to collect fabric-level metrics as a portion of the measured behaviors metrics.
  - 6. The hybrid-fabric apparatus of claim 5, wherein the anomaly agent is further configured to collect component-level metrics as a portion of the measured behaviors metrics.
  - 7. The hybrid-fabric apparatus of claim 1, wherein the anomaly agent is further configured to collect application metrics as a portion of the measured behaviors metrics.
  - 8. The hybrid-fabric apparatus of claim 1, wherein the anomaly agent is further configured to collect external metrics as a portion of the measured behaviors metrics.
  - 9. The hybrid-fabric apparatus of claim 1, wherein the at least some of the plurality of network nodes calculate their anomaly criterion statuses as a function of a trend of the measured behavior metrics.
  - 10. The hybrid-fabric apparatus of claim 1, wherein the anomaly agent is further configured to generate a leading indicator of a likelihood that anomalous behavior is about to occur as a function of the aggregated anomaly criterion statuses.
  - 11. The hybrid-fabric apparatus of claim 10, wherein the anomaly agent is further configured to generate the leading indicator by calculating a likelihood of the anomalous behavior occurring while the anomaly detection criteria remains unsatisfied.
  - 12. The hybrid-fabric apparatus of claim 1, wherein the anomaly agent is further configured to identify an anomaly type of the anomalous behavior based on the anomaly criterion statuses.
  - 13. The hybrid-fabric apparatus of claim 12, wherein the anomaly agent is further configured to automatically respond to the anomalous behavior according to a prior defined action based at least in part on the anomaly type.
  - 14. The hybrid-fabric apparatus of claim 1, wherein the anomaly agent is further configured to migrate anomalous traffic to a monitored data channel within the fabric.
  - 15. The hybrid-fabric apparatus of claim 1, the anomaly agent is further configured to update the anomaly detection criteria according to a known change in the fabric and sending the receiving nodes correspondingly updated anomaly criterion.
  - 16. The hybrid-fabric apparatus of claim 15, wherein the known change comprises an expected behavior change vector reflecting expected behavior changes due to deployment of an application within the fabric.
  - 17. The hybrid-fabric apparatus of claim 1, wherein the anomaly agent is further configured to store a history of the anomaly criterion statuses in the black box memory.
  - 18. The hybrid-fabric apparatus of claim 17, wherein the anomaly agent is further configured to store the history by migrating the history from a first one of the networking nodes to the black box memory housed within a second, different one of the networking nodes in response to the anomaly criterion statuses satisfying a migration triggering condition.

19. A network fabric system comprising:
- a plurality of network nodes; and
  
  an anomaly agent coupled with the plurality of network nodes and configured to;
  
  characterize a nominal behavior of a fabric as a baseline vector comprising at least two correlated behavior metrics having nominal values,establish anomaly detection criteria as a function of a variation from the baseline vector, the detection criteria defining a fabric anomalous behavior,disaggregate the anomaly detection criteria into a plurality of anomaly criterion,aggregate anomaly criterion statuses from at least some of the plurality of network nodes, each anomaly criterion status being calculated by a network node as a function of the node'"'"'s anomaly criterion and a measured vector of behavior metrics;
  
  detect satisfaction of the anomaly detection criteria as a function of the anomaly criterion statuses indicating occurrence of the fabric anomalous behavior relative to the nominal behavior, andpresent to a user the fabric anomalous behavior.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nant Holdings IP, LLC (NantWorks, LLC)
Original Assignee
Nant Holdings IP, LLC (NantWorks, LLC)
Inventors
Wittenschlaeger, Thomas
Primary Examiner(s)
Perungavoor, Venkat
Assistant Examiner(s)
RUPRECHT, CHRISTOPHER S

Application Number

US14/181,228
Publication Number

US 20140165201A1
Time in Patent Office

648 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/18   using different networks or...

Vector-based anomaly detection

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

59 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Vector-based anomaly detection

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links