Using traffic data to determine network topology
US-2017317899-A1 · Nov 2, 2017 · US
Creating aggregate network flow time series in network anomaly detection systems
US10356115B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10356115-B2 |
| Application number | US-201715475743-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 31, 2017 |
| Priority date | Mar 31, 2017 |
| Publication date | Jul 16, 2019 |
| Grant date | Jul 16, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In an embodiment, a computer implemented method receives flow data for one or more flows that correspond to a device-circuit pair. The method calculates a time difference for each flow that corresponds to a device-circuit pair. Based on the calculated time differences and the received flow data, the method updates a probability distribution model associated with the device-circuit pair. Then, the method determines whether a time bucket is complete or open based on the updated probability distribution model.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer implemented method for processing network flow data over a time series associated with a device-circuit pair, comprising: receiving, by a server, flow data for one or more flows that correspond to the device-circuit pair; calculating, by the server, a time difference for each flow of the one or more flows that correspond to the device-circuit pair, wherein calculating the time difference for each flow is based on a start time and an end time of each flow at one of the device-circuit pair and a file stamp time of a network flow record indicating each flow received by the server; based on the calculated time differences and the received flow data, updating, by the server, a probability distribution model associated with the device-circuit pair; determining, by the server, whether a time bucket, of the time series, is complete or open based on the updated probability distribution model; and detecting a network anomaly based on flow data corresponding to the time bucket, in response to determining that the time bucket is complete. 2. The method of claim 1 , further comprising: in response to determining that the time bucket is complete, ignoring, by the server, additional flow data that corresponds to the time bucket; and in response to determining that the time bucket is open, incorporating, by the server, additional flow data that corresponds to the time bucket. 3. The computer implemented method of claim 1 , wherein the probability distribution model comprises the received flow data that corresponds to the device-circuit pair and the time differences for the one or more flows that correspond to the device-circuit pair. 4. The computer implemented method of claim 3 , wherein the updating the probability distribution model comprises: incorporating, by the server, the received flow data and the calculated time differences into the probability distribution model; calculating, by the server, a mean value based on the time differences and the flow data included in the probability distribution model; and calculating, by the server, a standard deviation value based on the time differences and the flow data included in the probability distribution model. 5. The computer implemented method of claim 4 , wherein the determining whether the time bucket is complete or open comprises: calculating, by the server, a time delay value based on the standard deviation value; and determining, by the server, whether the time bucket is complete or open based on the time delay value and the file stamp time. 6. The computer implemented method of claim 5 , wherein the calculating the time delay value comprises calculating the time delay value based on the standard deviation value and the mean value. 7. The computer implemented method of claim 5 , wherein the determining whether the time bucket is complete or open comprises: creating an expiry time based on an end time of the time bucket and the calculated time delay value; determining that the time bucket is complete if the file stamp time is beyond the created expiry time; and determining that the time bucket is open if the file stamp time is not beyond the created expiry time. 8. A system for processing network flow data over a time series associated with a device-circuit pair, comprising: a memory; and at least one processor coupled to the memory and configured to: receive flow data for one or more flows that correspond to the device-circuit pair; calculate a time difference for each flow of the one or more flows that correspond to the device-circuit pair, wherein calculating the time difference for each flow is based on a start time and an end time of each flow at one of the device-circuit pair and a file stamp time of a network flow record indicating each flow received by the server; based on the calculated time differences and the received flow data, update a probability distribution model associated with the device-circuit pair; determine whether a time bucket, of the time series, is complete or open based on the updated probability distribution model; and detect a network anomaly based on flow data corresponding to the time bucket, in response to determining that the time bucket is complete. 9. The system of claim 8 , wherein the at least one processor is further configured to: in response to determining that the time bucket is complete, ignore additional flow data that corresponds to the time bucket; and in response to determining that the time bucket is open, incorporate additional flow data that corresponds to the time bucket. 10. The system of claim 8 , wherein the probability distribution model comprises the received flow data that corresponds to the device-circuit pair and the time differences for the one or more flows that correspond to the device-circuit pair. 11. The system of claim 10 , wherein the at least one processor is further configured to update the probability distribution model by: incorporating the received flow data and the calculated time differences into the probability distribution model; calculating a mean value based on the time differences and the flow data included in the probability distribution model; and calculating a standard deviation value based on the time differences and the flow data included in the probability distribution model. 12. The system of claim 11 , wherein the at least one processor is further configured to determine whether the time bucket is complete or open by: calculating a time delay value based on the standard deviation value; and determining whether the time bucket is complete or open based on the time delay value and the file stamp time. 13. The system of claim 12 , wherein the at least one processor is further configured to calculate the time delay value by calculating the time delay value based on the standard deviation value and the mean value. 14. The system of claim 12 , wherein the at least one processor is further configured to determine whether the time bucket is complete or open by: creating an expiry time based on an end time of the time bucket and the calculated time delay value; determining that the time bucket is complete if the file stamp time is beyond the created expiry time; and determining that the time bucket is open if the file stamp time is not beyond the created expiry time. 15. A non-transitory computer-readable medium having instructions stored thereon that, when executed by at least one computing device, causes the at least one computing device to perform operations for processing network flow data over a time series associated with a device-circuit pair, comprising: receiving flow data for one or more flows that correspond to the device-circuit pair; calculating a time difference for each flow of the one or more flows that correspond to the device-circuit pair, wherein calculating the time difference for each flow is based on a start time and an end time of each flow at one of the device-circuit pair and a file stamp time of a network flow record indicating each flow received by the server; based on the calculated time differences and the received flow data, updating a probability distribution model associated with the device-circuit pair; determining whether a time bucket, of the time series, is complete or open based on the updated probability distribution model; and detecting a network anomaly based on flow data corresponding to the time bucket, in response to determining that the time bucket is complete. 16. The non-transitory computer-readable medium of claim 15 , wherein the operations further comp
Assignees
Inventors
Classifications
Probabilistic graphical models, e.g. probabilistic networks · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Denial of Service · CPC title
using statistical or mathematical methods · CPC title
related to network traffic · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10356115B2 cover?
- In an embodiment, a computer implemented method receives flow data for one or more flows that correspond to a device-circuit pair. The method calculates a time difference for each flow that corresponds to a device-circuit pair. Based on the calculated time differences and the received flow data, the method updates a probability distribution model associated with the device-circuit pair. Then, t…
- Who is the assignee on this patent?
- Level 3 Communications Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jul 16 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).