Detection of anomaly in network flow data
First Claim
Patent Images
1. A method for detecting an anomaly in a network flow data, comprising:
- using a processor for;
(a) collecting the network flow data, characterizing performance of a network, within a time interval divided into multiple time-bins, and generating network flow features from the collected network flow data for each time-bin;
(b) generating input network traffic matrix containing information for the network flow features for respective time-bins;
(c) generating a statistical matrix from the input traffic matrix;
(d) applying a principal component analysis to the statistical matrix to determine one or more principal components of the statistical matrix;
(e) determining an anomaly score for each time-bin using the principal components;
(f) identifying one or more time-bins of the input network traffic matrix having highest anomaly scores;
(g) determining mean values for network flow features across all time-bins, excluding the identified time-bins;
(h) replacing values of the network flow features in the identified time-bins with respective determined mean values of said network flow features to form a modified input network traffic matrix;
(i) replacing the input network traffic matrix with the modified input network traffic matrix, and repeating the steps (c) to (h) a predetermined number of times.
2 Assignments
0 Petitions
Accused Products
Abstract
Disclosed is a method 101 to be used on collected network data flow 116 associated with a network 100; the method 101 includes: an anomaly-detection operation 103 including: (A) obtaining the collected network data flow 116; and (B) performing an iterative principal component analysis on the collected network data flow 116 to detect an anomaly associated with the collected network data flow 116. The method may be used in a server and a network, and may also be implemented as a non-transitory computer-readable media. A corresponding system for detecting the anomaly in the network flow data is also provided.
49 Citations
22 Claims
-
1. A method for detecting an anomaly in a network flow data, comprising:
using a processor for; (a) collecting the network flow data, characterizing performance of a network, within a time interval divided into multiple time-bins, and generating network flow features from the collected network flow data for each time-bin; (b) generating input network traffic matrix containing information for the network flow features for respective time-bins; (c) generating a statistical matrix from the input traffic matrix; (d) applying a principal component analysis to the statistical matrix to determine one or more principal components of the statistical matrix; (e) determining an anomaly score for each time-bin using the principal components; (f) identifying one or more time-bins of the input network traffic matrix having highest anomaly scores; (g) determining mean values for network flow features across all time-bins, excluding the identified time-bins; (h) replacing values of the network flow features in the identified time-bins with respective determined mean values of said network flow features to form a modified input network traffic matrix; (i) replacing the input network traffic matrix with the modified input network traffic matrix, and repeating the steps (c) to (h) a predetermined number of times. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
12. A system for detecting an anomaly in a network flow data, comprising:
-
a processor; a non-transitory computer readable storage medium having computer readable instructions stored thereon for execution by the processor, causing the processor to; (a) collect the network flow data, characterizing performance of a network, within a time interval divided into multiple time-bins, and generate network flow features from the collected network flow data for each time-bin; (b) generate input network traffic matrix containing information for the network flow features for respective time-bins; (c) generate a statistical matrix from the input traffic matrix; (d) apply a principal component analysis to the statistical matrix to determine one or more principal components of the statistical matrix; (e) determine an anomaly score for each time-bin using the principal components; (f) identify time-bins of the input network traffic matrix having highest anomaly scores; (g) determine mean values for network flow features across all time-bins, excluding the identified time-bins; (h) replace values of the network flow features in the identified time-bins with respective determined mean values of said network flow features to form a modified input network traffic matrix; (i) replace the input network traffic matrix with the modified input network traffic matrix, and repeat the steps (c) to (h) a predetermined number of times. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification