Anomaly detection using device relationship graphs

US 9,729,416 B1
Filed: 07/11/2016
Issued: 08/08/2017
Est. Priority Date: 07/11/2016
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring network traffic in a network, wherein one or more processors in a network computer execute instructions to perform actions, comprising:

providing a device relation model that is comprised of a graph for two or more nodes and one or more edges stored in memory of the network computer, wherein each node represents an agent and each edge represents a relationship between two agents; and

instantiating a network monitoring application to perform actions, including;

detecting one or more error signals;

employing network traffic from two or more non-associated agents that is correlated to add one or more phantom edges to the device relation model to associate the two or more non-associated agents with each other;

traversing the device relation model to identify one or more agents that are associated with the one or more error signals and that are associated with each other in the device relation model;

analyzing the network traffic associated with the one or more error signals and the one or more agents to identify a plurality of anomalies that correspond to more than one agent that is associated with a same error signal;

reducing an amount of the plurality of anomalies into one or more anomalies based on the graph of the device relation model; and

employing the one or more anomalies in the network traffic to update the device relation model and notifying a user of the one or more anomalies in the network.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to monitoring network traffic in a network. A device relation model that may be comprised of two or more nodes and one or more edges stored in memory of the network computer may be provided to a network monitoring computer (NMC), such that each node represents an agent and each edge represents a relationship between two agents. If error signals are detected by the NMC, the NMC perform further actions to process the error signals. The device relation model may be traversed to identify agents associated with the error signals. The network traffic associated with the error signals and the agents may be analyzed by the NMC. If the error signals are associated with anomalies in the network traffic, users may be notified. The device relation model may be updated upon discovery of new computing devices, new applications, or new associations between agents.

225 Citations

26 Claims

1. A method for monitoring network traffic in a network, wherein one or more processors in a network computer execute instructions to perform actions, comprising:
- providing a device relation model that is comprised of a graph for two or more nodes and one or more edges stored in memory of the network computer, wherein each node represents an agent and each edge represents a relationship between two agents; and
  
  instantiating a network monitoring application to perform actions, including;
  
  detecting one or more error signals;
  
  employing network traffic from two or more non-associated agents that is correlated to add one or more phantom edges to the device relation model to associate the two or more non-associated agents with each other;
  
  traversing the device relation model to identify one or more agents that are associated with the one or more error signals and that are associated with each other in the device relation model;
  
  analyzing the network traffic associated with the one or more error signals and the one or more agents to identify a plurality of anomalies that correspond to more than one agent that is associated with a same error signal;
  
  reducing an amount of the plurality of anomalies into one or more anomalies based on the graph of the device relation model; and
  
  employing the one or more anomalies in the network traffic to update the device relation model and notifying a user of the one or more anomalies in the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein providing the device relation model, further comprises:
    - adding one or more nodes to the device relation model based on the network traffic, wherein the one or more nodes each represent an agent in the network; and
      
      adding one or more edges to the device relation model based on the network traffic, wherein the one or more edges correspond to an association between two agents.
  - 3. The method of claim 1, wherein providing the device relation model further comprises:
    - providing one or more weight values that are associated with the one or more edges, wherein the one or more weight values indicate a strength of an association between two agents; and
      
      removing one or more of the one or more edges from the device relation model that are associated with a weight value that is less than a defined threshold.
  - 4. The method of claim 1, further comprising, updating the device relation model based on the network, wherein the device relation model is updated upon a discovery of one or more of new computing devices in the network, new applications in the network, or new associations between agents.
  - 5. The method of claim 1, wherein providing the device relation model, further comprises:
    - associating the one or more agents with applications based on their network traffic; and
      
      assigning the one or more agents to one or more groups based on their network traffic and their associated applications.
  - 6. The method of claim 1, wherein analyzing the network traffic further comprises:
    - comparing a portion of the error signals that are associated with one or more of the one or more agents with another portion of the error signals that are associated with one or more other agents of the one or more agents; and
      
      associating the one or more error signals with the one or more anomalies of the network traffic based on a result of the comparison.
  - 7. The method of claim 1, further comprising, when one or more of the one or more anomalies in the network traffic are caused by error signals associated with one or more upstream anomalies, discarding the one or more anomalies caused by the error signals associated with the one or more upstream anomalies.

8. A system for monitoring network traffic in a network comprising:
- a network computer, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing a device relation model that is comprised of a graph for two or more nodes and one or more edges stored in memory of the network computer, wherein each node represents an agent and each edge represents a relationship between two agents; and
  
  instantiating a network monitoring application to perform actions, including;
  
  detecting one or more error signals;
  
  employing network traffic from two or more non-associated agents that is correlated to add one or more phantom edges to the device relation model to associate the two or more non-associated agents with each other;
  
  traversing the device relation model to identify one or more agents that are associated with the one or more error signals and that are associated with each other in the device relation model;
  
  analyzing the network traffic associated with the one or more error signals and the one or more agents to identify a plurality of anomalies that correspond to more than one agent that is associated with a same error signal;
  
  reducing an amount of the plurality of anomalies into one or more anomalies based on the graph of the device relation model; and
  
  employing the one or more anomalies in the network traffic to update the device relation model and notifying a user of the one or more anomalies in the network; and
  
  a client computer, comprising;
  
  a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing one or more portions of the network traffic to the network.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein providing the device relation model, further comprises:
    - adding one or more nodes to the device relation model based on the network traffic, wherein the one or more nodes each represent an agent in the network; and
      
      adding one or more edges to the device relation model based on the network traffic, wherein the one or more edges correspond to an association between two agents.
  - 10. The system of claim 8, wherein providing the device relation model further comprises:
    - providing one or more weight values that are associated with the one or more edges, wherein the one or more weight values indicate a strength of an association between two agents; and
      
      removing one or more of the one or more edges from the device relation model that are associated with a weight value that is less than a defined threshold.
  - 11. The system of claim 8, wherein the network computer'"'"'s one or more processors execute instructions that perform actions, further comprising, updating the device relation model based on the network, wherein the device relation model is updated upon a discovery of one or more of new computing devices in the network, new applications in the network, or new associations between agents.
  - 12. The system of claim 8, wherein providing the device relation model, further comprises:
    - associating the one or more agents with applications based on their network traffic; and
      
      assigning the one or more agents to one or more groups based on their network traffic and their associated applications.
  - 13. The system of claim 8, wherein analyzing the network traffic further comprises:
    - comparing a portion of the error signals that are associated with one or more of the one or more agents with another portion of the error signals that are associated with one or more other agents of the one or more agents; and
      
      associating the one or more error signals with the one or more anomalies of the network traffic based on a result of the comparison.
  - 14. The system of claim 8, wherein the network computer'"'"'s one or more processors execute instructions that perform actions, further comprising, when one or more of the one or more anomalies in the network traffic are caused by error signals associated with one or more upstream anomalies, discarding the one or more anomalies caused by the error signals associated with the one or more upstream anomalies.

15. A processor readable non-transitory storage media that includes instructions for monitoring network traffic in a network, wherein execution of the instructions by one or more processors performs actions, comprising:
- providing a device relation model that is comprised of a graph for two or more nodes and one or more edges stored in memory of the network computer, wherein each node represents an agent and each edge represents a relationship between two agents; and
  
  instantiating a network monitoring application to perform actions, including;
  
  detecting one or more error signals;
  
  employing network traffic from two or more non-associated agents that is correlated to add one or more phantom edges to the device relation model to associate the two or more non-associated agents with each other;
  
  traversing the device relation model to identify one or more agents that are associated with the one or more error signals and that are associated with each other in the device relation model;
  
  analyzing the network traffic associated with the one or more error signals and the one or more agents to identify a plurality of anomalies that correspond to more than one agent that is associated with a same error signal;
  
  reducing an amount of the plurality of anomalies into one or more anomalies based on the graph of the device relation model; and
  
  employing the one or more anomalies in the network traffic to update the device relation model and notifying a user of the one or more anomalies in the network.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The media of claim 15, wherein providing the device relation model, further comprises:
    - adding one or more nodes to the device relation model based on the network traffic, wherein the one or more nodes each represent an agent in the network; and
      
      adding one or more edges to the device relation model based on the network traffic, wherein the one or more edges correspond to an association between two agents.
  - 17. The media of claim 15, wherein providing the device relation model further comprises:
    - providing one or more weight values that are associated with the one or more edges, wherein the one or more weight values indicate a strength of an association between two agents; and
      
      removing one or more of the one or more edges from the device relation model that are associated with a weight value that is less than a defined threshold.
  - 18. The media of claim 15, further comprising, updating the device relation model based on the network, wherein the device relation model is updated upon a discovery of one or more of new computing devices in the network, new applications in the network, or new associations between agents.
  - 19. The media of claim 15, wherein providing the device relation model, further comprises:
    - associating the one or more agents with applications based on their network traffic; and
      
      assigning the one or more agents to one or more groups based on their network traffic and their associated applications.
  - 20. The media of claim 15, wherein analyzing the network traffic further comprises:
    - comparing a portion of the error signals that are associated with one or more of the one or more agents with another portion of the error signals that are associated with one or more other agents of the one or more agents; and
      
      associating the one or more error signals with the one or more anomalies of the network traffic based on a result of the comparison.

21. A network computer for monitoring network traffic in a network, comprising:
- a transceiver that communicates over the network;
  
  a memory that stores at least instructions; and
  
  one or more processors that execute instructions that perform actions, including;
  
  providing a device relation model that is comprised of a graph for two or more nodes and one or more edges stored in memory of the network computer, wherein each node represents an agent and each edge represents a relationship between two agents; and
  
  instantiating a network monitoring application to perform actions, including;
  
  detecting one or more error signals;
  
  employing network traffic from two or more non-associated agents that is correlated to add one or more phantom edges to the device relation model to associate the two or more non-associated agents with each other;
  
  traversing the device relation model to identify one or more agents that are associated with the one or more error signals and that are associated with each other in the device relation model;
  
  analyzing the network traffic associated with the one or more error signals and the one or more agents to identify a plurality of anomalies that correspond to more than one agent that is associated with a same error signal;
  
  reducing an amount of the plurality of anomalies into one or more anomalies based on the graph of the device relation model; and
  
  employing the one or more anomalies in the network traffic to update the device relation model and notifying a user of the one or more anomalies in the network.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The network computer of claim 21, wherein providing the device relation model, further comprises:
    - adding one or more nodes to the device relation model based on the network traffic, wherein the one or more nodes each represent an agent in the network; and
      
      adding one or more edges to the device relation model based on the network traffic, wherein the one or more edges correspond to an association between two agents.
  - 23. The network computer of claim 21, wherein providing the device relation model further comprises:
    - providing one or more weight values that are associated with the one or more edges, wherein the one or more weight values indicate a strength of an association between two agents; and
      
      removing one or more of the one or more edges from the device relation model that are associated with a weight value that is less than a defined threshold.
  - 24. The network computer of claim 21, further comprising, updating the device relation model based on the network, wherein the device relation model is updated upon a discovery of one or more of new computing devices in the network, new applications in the network, or new associations between agents.
  - 25. The network computer of claim 21, wherein providing the device relation model, further comprises:
    - associating the one or more agents with applications based on their network traffic; and
      
      assigning the one or more agents to one or more groups based on their network traffic and their associated applications.
  - 26. The network computer of claim 21, wherein analyzing the network traffic further comprises:
    - comparing a portion of the error signals that are associated with one or more of the one or more agents with another portion of the error signals that are associated with one or more other agents of the one or more agents; and
      
      associating the one or more error signals with the one or more anomalies of the network traffic based on a result of the comparison.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ExtraHop Networks, Incorporated
Original Assignee
ExtraHop Networks, Incorporated
Inventors
Khanal, Bhushan Prasad, Wu, Xue Jun
Primary Examiner(s)
Donabed, Ninos

Application Number

US15/207,213
Time in Patent Office

393 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 41/065   involving logical or physic...

H04L 41/145   involving simulating, desig...

H04L 43/0823   Errors, e.g. transmission e...

H04L 67/1044   Group management mechanisms...

H04L 69/16   Implementation or adaptatio...

Anomaly detection using device relationship graphs

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

225 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Anomaly detection using device relationship graphs

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

225 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links