Network anomaly detection
First Claim
1. A computer implemented method, comprising:
- generating, by one or more computers, a network map comprising at least a plurality of network nodes and a plurality of edges that each indicate a communications path between two nodes from the plurality of network nodes;
obtaining, by at least one of the one or more computers, network node information that includes network activity data indicating typical network activity for the nodes;
obtaining, by at least one of the one or more computers, first data indicating network activity over the edges and between the plurality of network nodes for a first time period;
generating, by at least one of the one or more computers, a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map, the network node information, and the first data;
obtaining, by at least one of the one or more computers, second data indicating network activity over the edges and between the plurality of network nodes for a second time period;
determining, using the model of expected network activity and the second data, whether the second data indicates that a particular network node is using a given edge to a) send to a second node larger packets than expected packet sizes identified in the model of expected network activity for the given edge or b) communicate with a second node from the plurality of network nodes using different network protocols than expected network protocols identified in the model of expected network activity for the given edge; and
determining, by at least one of the one or more computers and for the particular network node from the plurality of network nodes, an edge anomaly score for each of the edges between the particular network node and the other network nodes in the plurality of network nodes that have communications paths with the particular network node using a result of the determination whether the second data indicates that the particular network node is using a given edge to a) send to a second node larger packets than expected packet sizes identified in the model of expected network activity for the given edge or b) communicate with a second node using different network protocols than expected network protocols identified in the model of expected network activity for the given edge, each of the edge anomaly scores representing a probability that the corresponding edge connected to the particular network node is anomalous.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on computer storage media, for determining network related anomaly scores. One of the methods includes generating a network map including at least a plurality of network nodes and a plurality of edges that indicate communications paths between the plurality of network nodes, obtaining first data indicating network activity over the edges and between the plurality of network nodes for a first time period, generating a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map and the first data, obtaining second data indicating network activity over the edges and between the plurality of network nodes for a second time period, and determining an anomaly score using a comparison between the second data and the model of expected network activity.
-
Citations
20 Claims
-
1. A computer implemented method, comprising:
-
generating, by one or more computers, a network map comprising at least a plurality of network nodes and a plurality of edges that each indicate a communications path between two nodes from the plurality of network nodes; obtaining, by at least one of the one or more computers, network node information that includes network activity data indicating typical network activity for the nodes; obtaining, by at least one of the one or more computers, first data indicating network activity over the edges and between the plurality of network nodes for a first time period; generating, by at least one of the one or more computers, a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map, the network node information, and the first data; obtaining, by at least one of the one or more computers, second data indicating network activity over the edges and between the plurality of network nodes for a second time period; determining, using the model of expected network activity and the second data, whether the second data indicates that a particular network node is using a given edge to a) send to a second node larger packets than expected packet sizes identified in the model of expected network activity for the given edge or b) communicate with a second node from the plurality of network nodes using different network protocols than expected network protocols identified in the model of expected network activity for the given edge; and determining, by at least one of the one or more computers and for the particular network node from the plurality of network nodes, an edge anomaly score for each of the edges between the particular network node and the other network nodes in the plurality of network nodes that have communications paths with the particular network node using a result of the determination whether the second data indicates that the particular network node is using a given edge to a) send to a second node larger packets than expected packet sizes identified in the model of expected network activity for the given edge or b) communicate with a second node using different network protocols than expected network protocols identified in the model of expected network activity for the given edge, each of the edge anomaly scores representing a probability that the corresponding edge connected to the particular network node is anomalous. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system comprising one or more computers, including a monitoring device, the monitoring device having a communications interface, and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising:
-
generating, by at least one of the one or more computers, a network map comprising at least a plurality of network nodes and a plurality of edges that each indicate a communications path between two nodes from the plurality of network nodes; obtaining, by at least one of the one or more computers, network node information that includes network activity data indicating typical network activity for the nodes; obtaining, by at least one of the one or more computers, first data indicating network activity over the edges and between the plurality of network nodes for a first time period; generating, by at least one of the one or more computers, a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map, the network node information, and the first data; obtaining, by at least one of the one or more computers, second data indicating network activity over the edges and between the plurality of network nodes for a second time period; determining, using the model of expected network activity and the second data, whether the second data indicates that a particular network node is using a given edge to a) send to a second node larger packets than expected packet sizes identified in the model of expected network activity for the given edge or b) communicate with a second node from the plurality of network nodes using different network protocols than expected network protocols identified in the model of expected network activity for the given edge; and determining, by at least one of the one or more computers and for the particular network node from the plurality of network nodes, an edge anomaly score for each of the edges between the particular network node and the other network nodes in the plurality of network nodes that have communications paths with the particular network node using a result of the determination whether the second data indicates that the particular network node is using a given edge to a) send to a second node larger packets than expected packet sizes identified in the model of expected network activity for the given edge or b) communicate with a second node using different network protocols than expected network protocols identified in the model of expected network activity for the given edge, each of the edge anomaly scores representing a probability that the corresponding edge connected to the particular network node is anomalous. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory computer storage medium encoded with instructions that, when executed by a one or more computers, cause the one or more computers to perform operations comprising:
-
generating, by at least one of the one or more computers, a network map comprising at least a plurality of network nodes and a plurality of edges that each indicate a communications path between two nodes from the plurality of network nodes; obtaining, by at least one of the one or more computers, network node information that includes network activity data indicating typical network activity for the nodes; obtaining, by at least one of the one or more computers, first data indicating network activity over the edges and between the plurality of network nodes for a first time period; generating, by at least one of the one or more computers, a model of expected network activity over the edges and between the plurality of network nodes for a future time period using the network map, the network node information, and the first data; obtaining, by at least one of the one or more computers, second data indicating network activity over the edges and between the plurality of network nodes for a second time period; determining, using the model of expected network activity and the second data, whether the second data indicates that a particular network node is using a given edge to a) send to a second node larger packets than expected packet sizes identified in the model of expected network activity for the given edge or b) communicate with a second node from the plurality of network nodes using different network protocols than expected network protocols identified in the model of expected network activity for the given edge; and determining, by at least one of the one or more computers and for the particular network node from the plurality of network nodes, an edge anomaly score for each of the edges between the particular network node and the other network nodes in the plurality of network nodes that have communications paths with the particular network node using a result of the determination whether the second data indicates that the particular network node is using a given edge to a) send to a second node larger packets than expected packet sizes identified in the model of expected network activity for the given edge or b) communicate with a second node using different network protocols than expected network protocols identified in the model of expected network activity for the given edge, each of the edge anomaly scores representing a probability that the corresponding edge connected to the particular network node is anomalous. - View Dependent Claims (20)
-
Specification