Anomaly detection in a signal
First Claim
Patent Images
1. A method for detecting anomalies in a discrete signal from network traffic flow comprising:
- receiving, by an anomaly detector including one or more processors, a network traffic signal comprising discretized samples corresponding to data packets arriving at a network node within a sampled time interval;
identifying, by the anomaly detector, a trend component of the network traffic signal, the trend component corresponding to frequency components of the network traffic signal below a first cut-off frequency threshold calculating, by the anomaly detector, a detrended network traffic signal based on the trend component and the network traffic signal;
identifying, by the anomaly detector, a cyclic component in the detrended network traffic signal, the cyclic component corresponding to frequency components of the detrended network traffic signal above a second cut-off frequency, the second cut-off frequency greater than the first cut-off frequency;
calculating, by the anomaly detector, a residual network traffic signal based on the cyclic component and the detrended network traffic signal;
detecting, by the anomaly detector, an anomaly in the residual network traffic signal based on at least one of an amplitude-based anomaly detection algorithm or a statistics-based anomaly detection algorithm; and
reconfiguring, by the anomaly detector, a network comprising the network node responsive to detecting the anomaly.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are disclosed herein for detecting an anomaly in a discrete signal, where a long-term trend of the discrete signal is identified. Samples in the signal correspond to a number of data packets arriving at a location in a network within a time interval. The long-term trend is subtracted from the discrete signal to obtain a detrended signal. A cyclic pattern is identified in the detrended signal and is subtracted from the detrended signal to obtain a residual signal. Anomaly detection is performed on the residual signal.
41 Citations
18 Claims
-
1. A method for detecting anomalies in a discrete signal from network traffic flow comprising:
-
receiving, by an anomaly detector including one or more processors, a network traffic signal comprising discretized samples corresponding to data packets arriving at a network node within a sampled time interval; identifying, by the anomaly detector, a trend component of the network traffic signal, the trend component corresponding to frequency components of the network traffic signal below a first cut-off frequency threshold calculating, by the anomaly detector, a detrended network traffic signal based on the trend component and the network traffic signal; identifying, by the anomaly detector, a cyclic component in the detrended network traffic signal, the cyclic component corresponding to frequency components of the detrended network traffic signal above a second cut-off frequency, the second cut-off frequency greater than the first cut-off frequency; calculating, by the anomaly detector, a residual network traffic signal based on the cyclic component and the detrended network traffic signal; detecting, by the anomaly detector, an anomaly in the residual network traffic signal based on at least one of an amplitude-based anomaly detection algorithm or a statistics-based anomaly detection algorithm; and reconfiguring, by the anomaly detector, a network comprising the network node responsive to detecting the anomaly. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus for detecting anomalies in a discrete signal from network traffic flow, comprising:
-
a non-transitory memory; a processor for; receiving a network traffic signal comprising discretized samples corresponding to data packets arriving at a network node within a sampled time interval; identifying a trend component of the network traffic signal, the trend component corresponding to frequency components of the network traffic signal below a first cut-off frequency threshold; calculating a detrended network traffic signal based on the trend component and the network traffic signal; identifying a cyclic component in the detrended network traffic signal, the cyclic component corresponding to frequency components of the detrended network traffic signal above a second cut-off frequency, the second cut-off frequency greater than the first cut-off frequency; calculating, by the anomaly detector, a residual network traffic signal based on the cyclic component and the detrended network traffic signal; detecting an anomaly in the residual network traffic signal based on at least one of an amplitude-based anomaly detection algorithm or a statistics-based anomaly detection algorithm; and reconfiguring, by the anomaly detector, a network comprising the network node responsive to detecting the anomaly. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification