Network anomaly detection

US 9,729,568 B2
Filed: 08/12/2016
Issued: 08/08/2017
Est. Priority Date: 05/22/2014
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method, comprising:

generating, by one or more computers, a network map comprising at least a plurality of network nodes and a plurality of edges that each indicate a communications path between two nodes from the plurality of network nodes;

obtaining, by at least one of the one or more computers, network node information that includes network activity data indicating typical network activity for the nodes;

obtaining, by at least one of the one or more computers, first data indicating network activity over the edges and between the plurality of network nodes for a first time period;

generating, by at least one of the one or more computers, a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map, the network node information, and the first data;

obtaining, by at least one of the one or more computers, second data indicating network activity over the edges and between the plurality of network nodes for a second time period;

determining, using the model of expected network activity and the second data, whether the second data indicates that a particular network node is using a given edge to a) send to a second node larger packets than expected packet sizes identified in the model of expected network activity for the given edge or b) communicate with a second node from the plurality of network nodes using different network protocols than expected network protocols identified in the model of expected network activity for the given edge; and

determining, by at least one of the one or more computers and for the particular network node from the plurality of network nodes, an edge anomaly score for each of the edges between the particular network node and the other network nodes in the plurality of network nodes that have communications paths with the particular network node using a result of the determination whether the second data indicates that the particular network node is using a given edge to a) send to a second node larger packets than expected packet sizes identified in the model of expected network activity for the given edge or b) communicate with a second node using different network protocols than expected network protocols identified in the model of expected network activity for the given edge, each of the edge anomaly scores representing a probability that the corresponding edge connected to the particular network node is anomalous.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining network related anomaly scores. One of the methods includes generating a network map including at least a plurality of network nodes and a plurality of edges that indicate communications paths between the plurality of network nodes, obtaining first data indicating network activity over the edges and between the plurality of network nodes for a first time period, generating a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map and the first data, obtaining second data indicating network activity over the edges and between the plurality of network nodes for a second time period, and determining an anomaly score using a comparison between the second data and the model of expected network activity.

Citations

20 Claims

1. A computer implemented method, comprising:
- generating, by one or more computers, a network map comprising at least a plurality of network nodes and a plurality of edges that each indicate a communications path between two nodes from the plurality of network nodes;
  
  obtaining, by at least one of the one or more computers, network node information that includes network activity data indicating typical network activity for the nodes;
  
  obtaining, by at least one of the one or more computers, first data indicating network activity over the edges and between the plurality of network nodes for a first time period;
  
  generating, by at least one of the one or more computers, a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map, the network node information, and the first data;
  
  obtaining, by at least one of the one or more computers, second data indicating network activity over the edges and between the plurality of network nodes for a second time period;
  
  determining, using the model of expected network activity and the second data, whether the second data indicates that a particular network node is using a given edge to a) send to a second node larger packets than expected packet sizes identified in the model of expected network activity for the given edge or b) communicate with a second node from the plurality of network nodes using different network protocols than expected network protocols identified in the model of expected network activity for the given edge; and
  
  determining, by at least one of the one or more computers and for the particular network node from the plurality of network nodes, an edge anomaly score for each of the edges between the particular network node and the other network nodes in the plurality of network nodes that have communications paths with the particular network node using a result of the determination whether the second data indicates that the particular network node is using a given edge to a) send to a second node larger packets than expected packet sizes identified in the model of expected network activity for the given edge or b) communicate with a second node using different network protocols than expected network protocols identified in the model of expected network activity for the given edge, each of the edge anomaly scores representing a probability that the corresponding edge connected to the particular network node is anomalous.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein obtaining the network node information that includes the network activity data indicating typical network activity for the nodes comprises obtaining network node information that includes an indication of a node type for each of the plurality of network nodes and network activity data indicating typical network activity for the node type.
  - 3. The method of claim 1, wherein a duration of the first time period, a duration of the future time period, and a duration of the second time period are all the same duration.
  - 4. The method of claim 1, comprising determining whether a particular edge anomaly score for a particular edge between the particular network node and one of the other network nodes in the plurality of network nodes satisfies a threshold anomaly score.
  - 5. The method of claim 4, comprising sending an event message upon determining that the particular edge anomaly score for the particular edge satisfies the threshold anomaly score.
  - 6. The method of claim 5, comprising receiving a reply to the event message that indicates one or more actions to perform in response to determining that the particular edge anomaly score for the particular edge satisfies the threshold anomaly score.
  - 7. The method of claim 6, comprising performing at least one of the actions with respect to the particular edge that corresponds with the particular edge anomaly score.
  - 8. The method of claim 4, comprising performing at least one action with respect to the particular edge in response to determining that the particular edge anomaly score for the particular edge satisfies the threshold anomaly score.
  - 9. The method of claim 8, wherein the at least one action comprises at least one of presenting information to a user about the particular edge, disconnecting the particular network node from a network, restricting inbound or outbound bandwidth of the particular network node along the particular edge, preventing the particular network node from communicating over the particular edge, preventing the particular network node from sending or receiving particular types of network traffic over the particular edge, rerouting network traffic that has the particular network node as a destination, quarantining the particular network node, disabling the particular network node, creating a computer implemented network rule for the particular network node, silently discarding at least a portion of the network traffic corresponding to the particular network node received across the particular edge, transitioning an application executing on the particular network node to a second network node, or blocking network traffic that has the particular network node as a destination.

10. A system comprising one or more computers, including a monitoring device, the monitoring device having a communications interface, and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising:
- generating, by at least one of the one or more computers, a network map comprising at least a plurality of network nodes and a plurality of edges that each indicate a communications path between two nodes from the plurality of network nodes;
  
  obtaining, by at least one of the one or more computers, network node information that includes network activity data indicating typical network activity for the nodes;
  
  obtaining, by at least one of the one or more computers, first data indicating network activity over the edges and between the plurality of network nodes for a first time period;
  
  generating, by at least one of the one or more computers, a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map, the network node information, and the first data;
  
  obtaining, by at least one of the one or more computers, second data indicating network activity over the edges and between the plurality of network nodes for a second time period;
  
  determining, using the model of expected network activity and the second data, whether the second data indicates that a particular network node is using a given edge to a) send to a second node larger packets than expected packet sizes identified in the model of expected network activity for the given edge or b) communicate with a second node from the plurality of network nodes using different network protocols than expected network protocols identified in the model of expected network activity for the given edge; and
  
  determining, by at least one of the one or more computers and for the particular network node from the plurality of network nodes, an edge anomaly score for each of the edges between the particular network node and the other network nodes in the plurality of network nodes that have communications paths with the particular network node using a result of the determination whether the second data indicates that the particular network node is using a given edge to a) send to a second node larger packets than expected packet sizes identified in the model of expected network activity for the given edge or b) communicate with a second node using different network protocols than expected network protocols identified in the model of expected network activity for the given edge, each of the edge anomaly scores representing a probability that the corresponding edge connected to the particular network node is anomalous.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein obtaining the network node information that includes the network activity data indicating typical network activity for the nodes comprises obtaining network node information that includes an indication of a node type for each of the plurality of network nodes and network activity data indicating typical network activity for the node type.
  - 12. The system of claim 10, wherein a duration of the first time period, a duration of the future time period, and a duration of the second time period are all the same duration.
  - 13. The system of claim 10, the operations comprising determining whether a particular edge anomaly score for a particular edge between the particular network node and one of the other network nodes in the plurality of network nodes satisfies a threshold anomaly score.
  - 14. The system of claim 13, the operations comprising sending an event message upon determining that the particular edge anomaly score for the particular edge satisfies the threshold anomaly score.
  - 15. The system of claim 14, the operations comprising receiving a reply to the event message that indicates one or more actions to perform in response to determining that the particular edge anomaly score for the particular edge satisfies the threshold anomaly score.
  - 16. The system of claim 15, the operations comprising performing at least one of the actions with respect to the particular edge that corresponds with the particular edge anomaly score.
  - 17. The system of claim 13, the operations comprising performing at least one action with respect to the particular edge in response to determining that the particular edge anomaly score for the particular edge satisfies the threshold anomaly score.
  - 18. The system of claim 17, wherein the at least one action comprises at least one of presenting information to a user about the particular edge, disconnecting the particular network node from a network, restricting inbound or outbound bandwidth of the particular network node along the particular edge, preventing the particular network node from communicating over the particular edge, preventing the particular network node from sending or receiving particular types of network traffic over the particular edge, rerouting network traffic that has the particular network node as a destination, quarantining the particular network node, disabling the particular network node, creating a computer implemented network rule for the particular network node, silently discarding at least a portion of the network traffic corresponding to the particular network node received across the particular edge, transitioning an application executing on the particular network node to a second network node, or blocking network traffic that has the particular network node as a destination.

19. A non-transitory computer storage medium encoded with instructions that, when executed by a one or more computers, cause the one or more computers to perform operations comprising:
- generating, by at least one of the one or more computers, a network map comprising at least a plurality of network nodes and a plurality of edges that each indicate a communications path between two nodes from the plurality of network nodes;
  
  obtaining, by at least one of the one or more computers, network node information that includes network activity data indicating typical network activity for the nodes;
  
  obtaining, by at least one of the one or more computers, first data indicating network activity over the edges and between the plurality of network nodes for a first time period;
  
  generating, by at least one of the one or more computers, a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map, the network node information, and the first data;
  
  obtaining, by at least one of the one or more computers, second data indicating network activity over the edges and between the plurality of network nodes for a second time period;
  
  determining, using the model of expected network activity and the second data, whether the second data indicates that a particular network node is using a given edge to a) send to a second node larger packets than expected packet sizes identified in the model of expected network activity for the given edge or b) communicate with a second node from the plurality of network nodes using different network protocols than expected network protocols identified in the model of expected network activity for the given edge; and
  
  determining, by at least one of the one or more computers and for the particular network node from the plurality of network nodes, an edge anomaly score for each of the edges between the particular network node and the other network nodes in the plurality of network nodes that have communications paths with the particular network node using a result of the determination whether the second data indicates that the particular network node is using a given edge to a) send to a second node larger packets than expected packet sizes identified in the model of expected network activity for the given edge or b) communicate with a second node using different network protocols than expected network protocols identified in the model of expected network activity for the given edge, each of the edge anomaly scores representing a probability that the corresponding edge connected to the particular network node is anomalous.
- View Dependent Claims (20)
- - 20. The computer storage medium of claim 19, wherein obtaining the network node information that includes the network activity data indicating typical network activity for the nodes comprises obtaining network node information that includes an indication of a node type for each of the plurality of network nodes and network activity data indicating typical network activity for the node type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
Negm, Walid, Ellett, Eric, Solderitsch, James J., Lefebvre, Michael L., Carver, Matthew, DiValentin, Louis William
Primary Examiner(s)
LEE, JASON T

Application Number

US15/235,247
Publication Number

US 20160352768A1
Time in Patent Office

361 Days
Field of Search

726 22
US Class Current
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

H04L 41/12   Discovery or management of ...

H04L 41/22   comprising specially adapte...

H04L 43/04   Processing captured monitor...

H04L 43/0888   Throughput

H04L 43/0894   Packet rate

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1466   Active attacks involving in...

H04W 12/08   Access security

Network anomaly detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network anomaly detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links