×

Symptom detection using behavior probability density, network monitoring of multiple observation value types, and network monitoring using orthogonal profiling dimensions

  • US 9,961,094 B1
  • Filed: 07/25/2008
  • Issued: 05/01/2018
  • Est. Priority Date: 07/25/2007
  • Status: Active Grant
First Claim
Patent Images

1. A method for monitoring network activity, including steps of maintaining, by a network monitoring device, a first data structure including information regarding historical activity of message traffic between two or more nodes in a network, wherein said historical activity of represents a behavior of that network over a first time duration having a first starting time and a first ending time, said first data structure including a first histogram of a first set of counts of values of network traffic elements in a first set of mutually exclusive ranges thereof, said first histogram defining a first probability density function of first results of a first crosspoint of mutually exclusive ranges of values, each first result of the first crosspoint including a plurality of observable parameters, said first probability density function being representative of said historical activity for each distinguished value of each of that plurality of observable parameters;

  • maintaining a second data structure including emergent activity of the network, wherein said emergent activity represents a behavior of that network over a second time duration, different from said first time duration, having a second starting time and a second ending time, said second starting time being more recent than said first starting time, said second data structure including a second histogram of a second set of counts of values of network traffic elements in a second set of mutually exclusive ranges thereof, said second histogram defining a second probability density function of second results of a second crosspoint of mutually exclusive ranges of values, each second result of the second crosspoint including said plurality of observable parameters and including counts of values of said observable parameters as in a corresponding said first result of the first crosspoint, said second probability density function being representative of said emergent activity for each distinguished value of each of that plurality of observable parameters;

    adjusting content of said first data structure in response to the information regarding emergent activity of that network;

    comparing a set of recent activity of the network, said recent activity of said network being distinguished from said historical activity and from said emergent activity, wherein said recent activity of that network represents a behavior of that network over a third time duration, different from said first time duration and said second time duration, having a third starting time and a third ending time, said third starting time being more recent than said first starting time, with a portion of said first data structure representing a particular one of said first results of the first crosspoint, said particular one of said first results of said first crosspoint being representative of said recent activity; and

    distinguishing, in response to a result of comparing between whether said recent network activity and at least one of historical network activity or emergent network activity is within the range of approved activity.

View all claims
  • 11 Assignments
Timeline View
Assignment View
    ×
    ×