METHOD AND SYSTEM FOR CONFIDENT ANOMALY DETECTION IN COMPUTER NETWORK TRAFFIC

US 20180337836A1
Filed: 12/11/2017
Published: 11/22/2018
Est. Priority Date: 11/07/2011
Status: Active Grant

First Claim

Patent Images

1. A method for detecting and classifying network traffic anomalies, comprising:

receiving a packet of information related to network traffic;

passing said packet to one or a plurality of network traffic analyzers;

at least some of said network traffic analyzers capable of applying an analytical algorithm to information contained in said packet that is different from the analytical algorithm applied by another of said network traffic analyzers;

receiving results of analysis performed by said analyzers;

evaluating results of analysis performed by said analyzers as a collection;

determining if the result of evaluation signifies a network traffic anomaly; and

emitting an alert if the result of evaluation signifies a network traffic anomaly.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to systems and methods for detecting anomalies in computer network traffic with fewer false positives and without the need for time-consuming and unreliable historical baselines. Upon detection, traffic anomalies can be processed to determine valuable network insights, including health of interfaces, devices and network services, as well as to provide timely alerts in the event of attack.

13 Citations

View as Search Results

8 Claims

1. A method for detecting and classifying network traffic anomalies, comprising:
- receiving a packet of information related to network traffic;
  
  passing said packet to one or a plurality of network traffic analyzers;
  
  at least some of said network traffic analyzers capable of applying an analytical algorithm to information contained in said packet that is different from the analytical algorithm applied by another of said network traffic analyzers;
  
  receiving results of analysis performed by said analyzers;
  
  evaluating results of analysis performed by said analyzers as a collection;
  
  determining if the result of evaluation signifies a network traffic anomaly; and
  
  emitting an alert if the result of evaluation signifies a network traffic anomaly.
- View Dependent Claims (2)
- - 2. A method as set forth in claim 1, further comprising the step of performing trend analysis upon the results of said evaluating step to reduce false positives.

3. A method for detecting and classifying network traffic anomalies, comprising:
- receiving a stream of packets of information related to network traffic;
  
  passing at least a portion of said stream of information packets to a network traffic analyzer;
  
  applying at least one analytical algorithm to said portion of said stream of information packets;
  
  determining if said applying step indicates the existence of a network traffic anomaly; and
  
  emitting an alert if a network traffic anomaly is detected;
  
  wherein said applying and said determining step are practiced prior to any step of permanently storing said portion of said stream of information packets.

4. A method for assessing the condition of an interface of a network device, comprising:
- receiving a stream of packets of information related to network traffic passing through said network device interface;
  
  passing at least a portion of said stream of information packets to a network traffic analyzer;
  
  applying at least one analytical algorithm to said portion of said stream of information packets;
  
  wherein said applying step computes a metric for assessing operational condition of said network device interface;
  
  emitting an alert if said computed metric indicates an abnormal operational condition of said network device interface;
  
  wherein said applying and said metric computation are practiced prior to any step of permanently storing said portion of said stream of information packets.
- View Dependent Claims (5, 6, 7)
- - 5. A method as set forth in claim 4, further comprising the step of performing trend analysis upon the results of said metric computation to predict a risk of failure of said network device interface.
  - 6. A method as set forth in claim 4, further comprising the step of assessing the operational condition of the said network device as a function of assessed operational condition of the interfaces of said network device;
    - wherein said assessing step is practiced prior to any step of permanently storing said portion of said stream of information packets.
  - 7. A method as set forth in claim 6, further comprising the step of assessing the operational condition of a network service, comprising:
    - receiving a stream of packets of information related to network traffic passing through more than one network devices that forward said network traffic to and from said network service;
      
      passing at least a portion of said stream of information packets to a network traffic analyzer;
      
      applying said method to information packets pertaining to at least a portion of said network devices that forward said network traffic to and from said network service;
      
      determining if said applying step indicates an abnormal operational condition of at least one of said network devices;
      
      emitting an alert pertaining to a network service if said applying step indicates an abnormal operational condition of at least one said network device that forwards said network traffic to and from said network service;
      
      wherein said determining and said emitting steps are practiced prior to any step of permanently storing said portion of said stream of information packets.

8-14. -14. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetFlow Logic Corporation
Original Assignee
NetFlow Logic Corporation
Inventors
Balabine, Igor, Velednitsky, Alexander

Granted Patent

US 10,542,024 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 43/04   Processing captured monitor...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

METHOD AND SYSTEM FOR CONFIDENT ANOMALY DETECTION IN COMPUTER NETWORK TRAFFIC

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

13 Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR CONFIDENT ANOMALY DETECTION IN COMPUTER NETWORK TRAFFIC

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links