Anomaly detection using device relationship graphs
First Claim
1. A method for monitoring network traffic in a network, wherein one or more processors in a network computer execute instructions to perform actions, comprising:
- providing a device relation model that is comprised of a graph for two or more nodes and one or more edges stored in memory of the network computer, wherein each node represents an agent and each edge represents a relationship between two agents; and
instantiating a network monitoring application to perform actions, including;
detecting one or more error signals;
employing network traffic from two or more non-associated agents that is correlated to add one or more phantom edges to the device relation model to associate the two or more non-associated agents with each other;
traversing the device relation model to identify one or more agents that are associated with the one or more error signals and that are associated with each other in the device relation model;
analyzing the network traffic associated with the one or more error signals and the one or more agents to identify a plurality of anomalies that correspond to more than one agent that is associated with a same error signal;
reducing an amount of the plurality of anomalies into one or more anomalies based on the graph of the device relation model; and
employing the one or more anomalies in the network traffic to update the device relation model and notifying a user of the one or more anomalies in the network.
6 Assignments
0 Petitions
Accused Products
Abstract
Embodiments are directed to monitoring network traffic in a network. A device relation model that may be comprised of two or more nodes and one or more edges stored in memory of the network computer may be provided to a network monitoring computer (NMC), such that each node represents an agent and each edge represents a relationship between two agents. If error signals are detected by the NMC, the NMC perform further actions to process the error signals. The device relation model may be traversed to identify agents associated with the error signals. The network traffic associated with the error signals and the agents may be analyzed by the NMC. If the error signals are associated with anomalies in the network traffic, users may be notified. The device relation model may be updated upon discovery of new computing devices, new applications, or new associations between agents.
-
Citations
26 Claims
-
1. A method for monitoring network traffic in a network, wherein one or more processors in a network computer execute instructions to perform actions, comprising:
-
providing a device relation model that is comprised of a graph for two or more nodes and one or more edges stored in memory of the network computer, wherein each node represents an agent and each edge represents a relationship between two agents; and instantiating a network monitoring application to perform actions, including; detecting one or more error signals; employing network traffic from two or more non-associated agents that is correlated to add one or more phantom edges to the device relation model to associate the two or more non-associated agents with each other; traversing the device relation model to identify one or more agents that are associated with the one or more error signals and that are associated with each other in the device relation model; analyzing the network traffic associated with the one or more error signals and the one or more agents to identify a plurality of anomalies that correspond to more than one agent that is associated with a same error signal; reducing an amount of the plurality of anomalies into one or more anomalies based on the graph of the device relation model; and employing the one or more anomalies in the network traffic to update the device relation model and notifying a user of the one or more anomalies in the network. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for monitoring network traffic in a network comprising:
-
a network computer, comprising; a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; providing a device relation model that is comprised of a graph for two or more nodes and one or more edges stored in memory of the network computer, wherein each node represents an agent and each edge represents a relationship between two agents; and instantiating a network monitoring application to perform actions, including; detecting one or more error signals; employing network traffic from two or more non-associated agents that is correlated to add one or more phantom edges to the device relation model to associate the two or more non-associated agents with each other; traversing the device relation model to identify one or more agents that are associated with the one or more error signals and that are associated with each other in the device relation model; analyzing the network traffic associated with the one or more error signals and the one or more agents to identify a plurality of anomalies that correspond to more than one agent that is associated with a same error signal; reducing an amount of the plurality of anomalies into one or more anomalies based on the graph of the device relation model; and employing the one or more anomalies in the network traffic to update the device relation model and notifying a user of the one or more anomalies in the network; and a client computer, comprising; a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; providing one or more portions of the network traffic to the network. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A processor readable non-transitory storage media that includes instructions for monitoring network traffic in a network, wherein execution of the instructions by one or more processors performs actions, comprising:
-
providing a device relation model that is comprised of a graph for two or more nodes and one or more edges stored in memory of the network computer, wherein each node represents an agent and each edge represents a relationship between two agents; and instantiating a network monitoring application to perform actions, including; detecting one or more error signals; employing network traffic from two or more non-associated agents that is correlated to add one or more phantom edges to the device relation model to associate the two or more non-associated agents with each other; traversing the device relation model to identify one or more agents that are associated with the one or more error signals and that are associated with each other in the device relation model; analyzing the network traffic associated with the one or more error signals and the one or more agents to identify a plurality of anomalies that correspond to more than one agent that is associated with a same error signal; reducing an amount of the plurality of anomalies into one or more anomalies based on the graph of the device relation model; and employing the one or more anomalies in the network traffic to update the device relation model and notifying a user of the one or more anomalies in the network. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A network computer for monitoring network traffic in a network, comprising:
-
a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including; providing a device relation model that is comprised of a graph for two or more nodes and one or more edges stored in memory of the network computer, wherein each node represents an agent and each edge represents a relationship between two agents; and instantiating a network monitoring application to perform actions, including; detecting one or more error signals; employing network traffic from two or more non-associated agents that is correlated to add one or more phantom edges to the device relation model to associate the two or more non-associated agents with each other; traversing the device relation model to identify one or more agents that are associated with the one or more error signals and that are associated with each other in the device relation model; analyzing the network traffic associated with the one or more error signals and the one or more agents to identify a plurality of anomalies that correspond to more than one agent that is associated with a same error signal; reducing an amount of the plurality of anomalies into one or more anomalies based on the graph of the device relation model; and employing the one or more anomalies in the network traffic to update the device relation model and notifying a user of the one or more anomalies in the network. - View Dependent Claims (22, 23, 24, 25, 26)
-
Specification