ANOMALY DETECTION AND IDENTIFICATION USING TRAFFIC STEERING AND REAL-TIME ANALYTICS

US 20120233311A1
Filed: 03/10/2011
Published: 09/13/2012
Est. Priority Date: 03/10/2011
Status: Active Grant

First Claim

Patent Images

1. A method, performed by an analytics and reporting (AR) server, associated with a service provider network, comprising:

monitoring, by the AR server, a plurality of packets associated with traffic that is traveling to or from the service provider network;

obtaining, by the AR server, traffic metrics associated with the plurality of packets, based on the monitoring of the traffic, where the traffic metrics are obtained with respect to one or more network layers;

detecting, by the AR server, an anomaly associated with the plurality of packets, based on traffic metrics associated with at least one network layer of the one or more network layers;

obtaining, by the AR server and from another server associated with the service provider network, copies of one or more packets, of the plurality of packets, based on the detection of the anomaly;

analyzing, by the content distribution system, each packet, of the copies of the one or more packets, to obtain information associated with the anomaly; and

sending, by the content distribution system and to a server device associated with the service provider network, a notification that indicates that the anomaly has been detected, where the notification includes at least one of;

the traffic metrics associated with the plurality of packets,the copies of the one or more packets, orinformation associated with the anomaly.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, associated with a service provider network, is configured to monitor traffic, that is traveling to or from the service provider network, to obtain traffic metrics that correspond to a collection of network layers, where the network layers; process the traffic metrics with respect to each of the network layers to identify an anomaly, associated with the traffic, that corresponds to at least one of the network layers; send a request for packets associated with the traffic based on the identification of the anomaly; receive copies of the packets associated with the traffic; analyze the copies of the packets to obtain information associated with the anomaly; and send a notification that indicates that the anomaly has been identified, where the notification includes the traffic metrics associated with the traffic or the information associated with the anomaly.

97 Citations

View as Search Results

25 Claims

1. A method, performed by an analytics and reporting (AR) server, associated with a service provider network, comprising:
- monitoring, by the AR server, a plurality of packets associated with traffic that is traveling to or from the service provider network;
  
  obtaining, by the AR server, traffic metrics associated with the plurality of packets, based on the monitoring of the traffic, where the traffic metrics are obtained with respect to one or more network layers;
  
  detecting, by the AR server, an anomaly associated with the plurality of packets, based on traffic metrics associated with at least one network layer of the one or more network layers;
  
  obtaining, by the AR server and from another server associated with the service provider network, copies of one or more packets, of the plurality of packets, based on the detection of the anomaly;
  
  analyzing, by the content distribution system, each packet, of the copies of the one or more packets, to obtain information associated with the anomaly; and
  
  sending, by the content distribution system and to a server device associated with the service provider network, a notification that indicates that the anomaly has been detected, where the notification includes at least one of;
  
  the traffic metrics associated with the plurality of packets,the copies of the one or more packets, orinformation associated with the anomaly.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, where monitoring the plurality of packets associated with traffic further includes:
    - performing a stateful packet inspection operation on each of the plurality of packets in a manner that does not reduce a level of throughput associated with the service provider network,where the stateful packet inspection operation includes analyzing a portion of each packet, of the plurality of packets, that does not include the payload portion of the each packet.
  - 3. The method of claim 1, where the traffic metrics include at least one of:
    - a network layer one metric that identifies a quantity of bandwidth associated with the traffic,a network layer three metric that identifies a quantity of user devices that are communicating with a particular uniform resource locator (URL),a network layer four metric that identifies a quantity of concurrent flows of packets, of the plurality of packets, that are destined for a particular port,a network layer five metric that identifies a quantity of calls, associated with the service provider network, that are terminated within a period of time,a network layer six metric that identifies information associated with a type of multipurpose Internet mail extension (MIME) associated with the traffic, ora network layer seven metric that identifies a quantity of web page errors associated with the traffic.
  - 4. The method of claim 3, where detecting the anomaly associated with the flow of packets further includes:
    - detecting a layer one anomaly when the quantity of bandwidth associated with the traffic is greater than a threshold associated with network layer one;
      
      detecting a layer three anomaly when the quantity of user devices, that are communicating with the particular uniform resource locator (URL), is greater than a threshold associated with network layer three; and
      
      detecting a layer four anomaly when the quantity of concurrent flows of packets, of the plurality of packets, that are destined for a particular port, is greater than a threshold associated with network layer four.
  - 5. The method of claim 3, where detecting the anomaly associated with the flow of packets further includes:
    - detecting a layer five anomaly when the quantity of calls associated with the service provider network, that are terminated within the period of time, is greater than a threshold associated with network layer five;
      
      detecting a layer six anomaly when the network layer six traffic metric identifies the information associated with the type of multipurpose Internet mail extension (MIME) that has not been previously detected; and
      
      detecting a layer seven anomaly when the quantity of web page errors, associated with the traffic, is greater than a threshold associated with network layer seven.
  - 6. The method of claim 1, where detecting the anomaly associated with the flow of packets further includes:
    - determining that traffic metrics, associated with at least one the one or more network layers, is greater than threshold associated with the at least one of the one or more network layers.
  - 7. The method of claim 1, further comprising:
    - obtaining context information associated with a user device that is affected by the anomaly, based on the detection of the anomaly, where the context information includes at least one of;
      
      a device identifier associated with the user device,information associated with a type of the user device,information associated with a location of the user device, orinformation associated with an operating system that is executed by the user device; and
      
      sending, to the server device associated with the service provider network, the context information associated with the user device.
  - 8. The method of claim 1, where obtaining the copies of the one or more packets, of the plurality of packets, further includes:
    - transmitting the one or more packets to a destination device in a manner that does not decrease the throughput of the plurality of packets.
  - 9. The method of claim 1, where analyzing each packet, of the copies of the one or more packets, further includes:
    - identifying an error in a header of at least one packet, of the copies of the one or more packets, where the header is associated with;
      
      network layer three of the one or more network layers, ornetwork layer four of the one or more network layers.
  - 10. The method of claim 1, where analyzing each packet, of the copies of the one or more packets, further includes:
    - assigning a first classification to the anomaly based on a determination that the anomaly is a packet error;
      
      assigning a second classification to the anomaly based on a determination that the anomaly is associated with malicious information or software;
      
      assigning a third classification to the anomaly based on a determination that the anomaly is associated with an electronic attack; and
      
      assigning a fourth classification to the anomaly based on a determination that the anomaly is associated with a signaling error.
  - 11. The method of claim 1, where analyzing each packet, of the copies of the one or more packets, further includes:
    - identifying another anomaly associated with other traffic;
      
      analyzing packets associated with the other traffic based on the identification of the other anomaly to obtain information associated with the other anomaly;
      
      comparing the information associated with the other anomaly with the information associated with the anomaly; and
      
      sending, to the server device, the information associated with the other anomaly or information obtained as a result of the comparison of the information associated with the other anomaly with the information associated with the anomaly.

12. A computing device associated with a service provider network, the computing device comprising:
- one or more processors to;
  
  monitor traffic, that is traveling to or from the service provider network, to obtain traffic metrics, associated with the traffic, that corresponds to one or more network layers, where the one or more network layers include at least one of a physical layer, a network layer, a transport layer, a session layer, a presentation layer, or an application layer,process the traffic metrics with respect to each of the one or more network layers to identify an anomaly, associated with the traffic, that corresponds to at least one network layer of the one or more network layers,send, to a steering server, a request for packets associated with the traffic based on the identification of the anomaly,receive, from the steering server, copies of the packets associated with the traffic,analyze the copy of the packets to obtain information associated with the anomaly, andsend, to a server device, a notification that indicates that the anomaly has been identified, where the notification includes the traffic metrics associated with the traffic or the information associated with the anomaly.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The computing device of claim 12, where the steering server is to:
    - receive, from the computing device, the request for the packets associated with the traffic,generate the copies of the packets based on information, associated with the packets, obtained from the request,transmit the packets, associated with the traffic, to a destination device, andtransmit the copies of the packets to the computing device.
  - 14. The computing device of claim 13, where the information associated with the packets includes at least one of:
    - a destination Internet protocol (IP) address,a source IP address,an identifier associated with a user device from which the flow is sent, orinformation associated with a quantity of the packets to be received.
  - 15. The computing device of claim 12 where the one or more network layers are specified by the Open Systems Interconnect (OSI) model.
  - 16. The computing device of claim 12, where the traffic metrics include at least one of:
    - a traffic metric, associated with the physical layer, that identifies a quantity of concurrent packet flows associated with the traffic,a traffic metric associated with the network layer that identifies a quantity of user devices that are communicating with a network associated with a country that is different than another country with which the service provider network is associated,a traffic metric, associated with the transport layer, that indicates whether a user device is sweeping ports associated with the service provider network,a traffic metric, associated with the session layer, that identifies an average call duration associated with the traffic,a traffic metric, associated with the presentation layer, that identifies a multipurpose Internet mail extension (MIME) type associated with the plurality of packets, ora traffic metric, associated with the application layer, that identifies a quantity of domain name queries associated with a particular URL.
  - 17. The computing device of claim 16, where, when processing the traffic metrics with respect to the each of the one or more network layers, the one or more processors is further to:
    - identify a physical layer anomaly when the quantity of concurrent packet flows, associated with the traffic, is greater than a threshold associated with the physical layer,identify a network layer anomaly when the quantity of user devices that are communicating with the network associated with the country that is different than the other country, is greater than a threshold associated with the network layer, andidentify a transport layer anomaly when the traffic metric associated with the transport layer indicates that the user device is sweeping the ports.
  - 18. The computing device of claim 16, where, when processing the traffic metrics with respect to the each of the one or more network layers, the one or more processors is further to:
    - identify a session layer anomaly when a difference between the average call duration associated with the traffic and an average call duration, associated with the service provider network, is greater than a threshold associated with the session layer,identify a presentation layer anomaly when the traffic metric associated with the presentation layer identifies a type of multipurpose Internet mail extension (MIME) that has not been previously detected, andidentify an application layer anomaly when the quantity of domain name queries, associated with a particular URL, is greater than a threshold associated with the application layer.
  - 19. The computing device of claim 12, where the one or more processors is further to:
    - retrieve context information associated with a user device that is affected by the anomaly, where the context information includes at least one of;
      
      a device identifier associated with the user device,information associated with a previous quantity of web pages that were accessed by the user device, orinformation associated with one or more other user devices to which a prior quantity of calls were placed by the user device, andsend, to the server device associated with the service provider network, the context information associated with the user device.
  - 20. The computing device of claim 12, where, when analyzing the copy of the packets, the one or more processors is further to:
    - assign a classification to the anomaly based on the traffic metrics and the information associated with the anomaly,obtain information associated with one or more other anomalies that have been detected within the service provider network, andsend, to the server device, information associated with the classification assigned to the anomaly and information associated with another anomaly, of the one or more other anomalies, that has been assigned a classification that matches the classification assigned to the anomaly.

21. A server device, associated with a service provider network, comprising:
- a memory to store information associated with one or more anomalies detected within the service provider network; and
  
  a processor to;
  
  monitor traffic received from or destined for a user device associated with the service provider network,obtain, from the traffic and based on monitoring the traffic, information associated with the traffic that corresponds to one or more network layers associated with the service provider network,determine that an anomaly is associated with the traffic based on the information associated with the traffic and one or more thresholds that corresponds to the one or more network layers,generate copies of packets associated with the traffic based on the determination that the anomaly is associated with the traffic,analyze the copies of the packets to obtain information associated with the anomaly,retrieve, from the memory, the information associated with the one or more anomalies,send, to a network management server associated with the service provider network, a notification that indicates that the anomaly has been detected, where the notification includes at least one of;
  
  the information associated with the traffic,the information associated with the anomaly, andthe information associated with the one or more anomalies.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The server device of claim 21, where the processor is further to:
    - present for display a geographical area within which the service provider network is located,provide for display information associated with a respective location of each user device that is affected by the anomaly or the one or more anomalies, where the information associated with the respective location is based on;
      
      the information associated with the traffic,the information associated with the anomaly, orthe information associated with the one or more anomalies.
  - 23. The server device of claim 21, where, when analyzing the copies of the packets to obtain information associated with the anomaly, the processor is to:
    - identify errors in packet headers associated with an Internet protocol (IP) version four (IPv4) or IP version six (IPv6), andsend, to the network management server, information associated with the identification of the errors in the packet headers.
  - 24. The server device of claim 21, where, when analyzing the copies of the packets to obtain information associated with the anomaly, the processor is to:
    - identify errors in packet headers associated with a transport control protocol (TCP) or a user datagram protocol (UDP), andsend, to the network management server, information associated with the identification of the errors in the packet headers.
  - 25. The server device of claim 21, where, when analyzing the copies of the packets to obtain information associated with the anomaly, the processor is to:
    - assign a classification to the anomaly based on the information associated with the traffic or the information associated with the anomaly,identify another anomaly, of the one or more anomalies, that has been assigned the classification, andsend, to the network management server, the information associated with the anomaly and information associated with the other anomaly.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
PARKER, Benjamin J., NEISINGER, Chris S.

Granted Patent

US 9,026,644 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 41/142   using statistical or mathem...

H04L 43/00   Arrangements for monitoring...

H04L 43/022   by sampling

H04L 43/16   Threshold monitoring

H04L 47/10   Flow control; Congestion co...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

ANOMALY DETECTION AND IDENTIFICATION USING TRAFFIC STEERING AND REAL-TIME ANALYTICS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

97 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

ANOMALY DETECTION AND IDENTIFICATION USING TRAFFIC STEERING AND REAL-TIME ANALYTICS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links