Vector-based anomaly detection

US 9,716,723 B2
Filed: 10/20/2015
Issued: 07/25/2017
Est. Priority Date: 11/18/2010
Status: Active Grant

First Claim

Patent Images

1. A method of detecting anomalous behavior of a network fabric, comprising:

determining a baseline vector corresponding to nominal behavior of a fabric, the baseline vector comprising at least two different behavior metrics that are correlated with each other;

disaggregating anomaly detection criteria into a plurality of anomaly criterion to be distributed among nodes of the fabric, the anomaly detection criteria characterizing a variation from the baseline vector, and each of the plurality of anomaly criterion comprising a function of a measured vector of behavior metrics, the variation calculated based on a variation function applied to a vector of measured behavior metrics having elements corresponding to member elements of the baseline vector;

aggregating anomaly criterion statuses calculated by at least some of the nodes to detect anomalous behavior, each anomaly criterion status being calculated by a network node as a function of the node'"'"'s anomaly criterion and a measured vector of the at least two different behavior metrics; and

notifying a manager of the fabric anomalous behavior.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods of detecting anomalous behaviors associated with a fabric are presented. A network fabric can comprise many fungible networking nodes, preferably hybrid-fabric apparatus capable of routing general purpose packet data and executing distributed applications. A nominal behavior can be established for the fabric and represented by a baseline vector of behavior metrics. Anomaly detection criteria can be derived as a function of a variation from the baseline vector based on measured vectors of behavior metrics. Nodes in the fabric can provide a status for one or more anomaly criterion, which can be aggregated to determine if an anomalous behavior has occurred, is occurring, or is about to occur.

73 Citations

View as Search Results

20 Claims

1. A method of detecting anomalous behavior of a network fabric, comprising:
- determining a baseline vector corresponding to nominal behavior of a fabric, the baseline vector comprising at least two different behavior metrics that are correlated with each other;
  
  disaggregating anomaly detection criteria into a plurality of anomaly criterion to be distributed among nodes of the fabric, the anomaly detection criteria characterizing a variation from the baseline vector, and each of the plurality of anomaly criterion comprising a function of a measured vector of behavior metrics, the variation calculated based on a variation function applied to a vector of measured behavior metrics having elements corresponding to member elements of the baseline vector;
  
  aggregating anomaly criterion statuses calculated by at least some of the nodes to detect anomalous behavior, each anomaly criterion status being calculated by a network node as a function of the node'"'"'s anomaly criterion and a measured vector of the at least two different behavior metrics; and
  
  notifying a manager of the fabric anomalous behavior.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method recited in claim 1, wherein aggregating comprises detecting satisfaction of the anomaly detection criteria as a function of the anomaly criterion statuses indicating occurrence of the fabric'"'"'s anomalous behavior relative to the nominal behavior.
  - 3. The method recited in claim 1, wherein the anomaly detection criteria is established by at least one of simulating an anomalous behavior within the fabric while the fabric is active;
    - modeling an anomalous behavior within the fabric to derive the variation from the baseline vector by constructing a logical representation of the fabric using nodes of the fabric; and
      
      modeling an anomalous behavior by running a live drill.
  - 4. The method recited in claim 1, further comprising at least one of collecting fabric-level metrics as a portion of measured behaviors metrics;
    - collecting apparatus-level metrics as a portion of the measured behaviors metrics;
      
      collecting component-level metrics as a portion of the measured behaviors metrics;
      
      collecting application metrics as a portion of the measured behaviors metrics; and
      
      collecting external metrics as a portion of the measured behaviors metrics.
  - 5. The method of claim 1, further comprising at least some of the nodes calculating their anomaly criterion status as a function of a trend of measured behavior metrics.
  - 6. The method of claim 1, further comprising generating a leading indicator of a likelihood that anomalous behavior is about to occur as a function of aggregated anomaly criterion statuses.
  - 7. The method of claim 6, wherein generating the leading indicator includes calculating a likelihood of the anomalous behavior occurring while an anomaly detection criteria remains unsatisfied.
  - 8. The method of claim 1, further comprising at least one of identifying an anomaly type of the anomalous behavior based on the anomaly criterion statuses automatically responding to the anomalous behavior according to a prior defined action based at least in part on the anomaly type;
    - migrating anomalous traffic to a monitored data channel within the fabric;
      
      updating the anomaly detection criteria according to a known change in the fabric and sending the nodes correspondingly updated anomaly criterion; and
      
      updating the anomaly detection criteria according to an expected behavior change vector reflecting expected behavior changes due to deployment of an application within the fabric and sending the nodes correspondingly updated anomaly criterion.
  - 9. The method of claim 1, further comprising storing a history of the anomaly criterion statuses in a black box memory.
  - 10. The method of claim 9, wherein the step of storing the history includes migrating the history from a first one of the networking nodes to the black box memory housed within a second, different one of the nodes in response to the anomaly criterion statuses satisfying a migration triggering condition.

11. A non-transitory computer readable medium comprising instructions for:
- determining a baseline vector corresponding to nominal behavior of a fabric, the baseline vector comprising at least two different behavior metrics that are correlated with each other;
  
  disaggregating anomaly detection criteria into a plurality of anomaly criterion to be distributed among nodes of the fabric, the anomaly detection criteria characterizing a variation from the baseline vector, and each of the plurality of anomaly criterion comprising a function of a measured vector of behavior metrics, the variation calculated based on a variation function applied to a vector of measured behavior metrics having elements corresponding to member elements of the baseline vector;
  
  aggregating anomaly criterion statuses calculated by at least some of the nodes to detect anomalous behavior, each anomaly criterion status being calculated by a network node as a function of the node'"'"'s anomaly criterion and a measured vector of the at least two different behavior metrics; and
  
  notifying a manager of the fabric anomalous behavior.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The non-transitory computer readable medium recited in claim 11, wherein aggregating comprises detecting satisfaction of the anomaly detection criteria as a function of the anomaly criterion statuses indicating occurrence of the fabric'"'"'s anomalous behavior relative to the nominal behavior.
  - 13. The non-transitory computer readable medium recited in claim 11, wherein the anomaly detection criteria is established by at least one of simulating an anomalous behavior within the fabric while the fabric is active;
    - modeling an anomalous behavior within the fabric to derive the variation from the baseline vector by constructing a logical representation of the fabric using nodes of the fabric; and
      
      modeling an anomalous behavior by running a live drill.
  - 14. The non-transitory computer readable medium recited in claim 11, further comprising at least one of collecting fabric-level metrics as a portion of measured behaviors metrics;
    - collecting apparatus-level metrics as a portion of the measured behaviors metrics;
      
      collecting component-level metrics as a portion of the measured behaviors metrics;
      
      collecting application metrics as a portion of the measured behaviors metrics; and
      
      collecting external metrics as a portion of the measured behaviors metrics.
  - 15. The non-transitory computer readable medium of claim 11, further comprising at least some of the nodes calculating their anomaly criterion status as a function of a trend of measured behavior metrics.
  - 16. The non-transitory computer readable medium of claim 11, further comprising generating a leading indicator of a likelihood that anomalous behavior is about to occur as a function of aggregated anomaly criterion statuses.
  - 17. The non-transitory computer readable medium of claim 16, wherein generating the leading indicator includes calculating a likelihood of the anomalous behavior occurring while an anomaly detection criteria remains unsatisfied.
  - 18. The non-transitory computer readable medium of claim 11, further comprising at least one of identifying an anomaly type of the anomalous behavior based on the anomaly criterion statuses automatically responding to the anomalous behavior according to a prior defined action based at least in part on the anomaly type;
    - migrating anomalous traffic to a monitored data channel within the fabric;
      
      updating the anomaly detection criteria according to a known change in the fabric and sending the nodes correspondingly updated anomaly criterion; and
      
      updating the anomaly detection criteria according to an expected behavior change vector reflecting expected behavior changes due to deployment of an application within the fabric and sending the nodes correspondingly updated anomaly criterion.
  - 19. The non-transitory computer readable medium of claim 11, further comprising storing a history of the anomaly criterion statuses in a black box memory.
  - 20. The non-transitory computer readable medium of claim 19, wherein the step of storing the history includes migrating the history from a first one of the networking nodes to the black box memory housed within a second, different one of the nodes in response to the anomaly criterion statuses satisfying a migration triggering condition.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nant Holdings IP, LLC (NantWorks, LLC)
Original Assignee
Nant Holdings IP, LLC (NantWorks, LLC)
Inventors
Wittenschlaeger, Thomas
Primary Examiner(s)
Parsons, Theodore C.
Assistant Examiner(s)
RUPRECHT, CHRISTOPHER S

Application Number

US14/887,842
Publication Number

US 20160044055A1
Time in Patent Office

644 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/18   using different networks or...

Vector-based anomaly detection

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

73 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Vector-based anomaly detection

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

73 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others