Mixture model approach for network forecasting
US-9426036-B1 · Aug 23, 2016 · US
Correlating causes and effects associated with network activity
US10411978B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-10411978-B1 |
| Application number | US-201816100116-A |
| Country | US |
| Kind code | B1 |
| Filing date | Aug 9, 2018 |
| Priority date | Aug 9, 2018 |
| Publication date | Sep 10, 2019 |
| Grant date | Sep 10, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Embodiments are directed to monitoring network traffic using a monitoring engine that monitors network traffic in networks to provide metrics. An inference engine may provide activity profiles based on portions of the network traffic where each activity profile includes features associated with the portions of network traffic. The inference engine may determine other activity profiles correlated with the activity profiles based on correlation models such that the determination of the other activity profiles occurs prior to monitoring an occurrence of other portions of the network traffic. The inference engine may modify monitoring actions of the monitoring engine based on the other activity profiles. The inference engine may provide reports based on the portions of the network traffic, the activity profiles, the other portions of the network traffic, or the other activity profiles.
First claim
Opening claim text (preview).
What is claimed as new and desired to be protected by Letters Patent of the United States is: 1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the one or more network computers perform the method comprising: instantiating a monitoring engine to perform actions, including: monitoring one or more portions of the network traffic that are associated with a plurality of entities in one or more networks to provide one or more metrics; and instantiating an inference engine that performs actions, including: providing one or more activity profiles based on the plurality of entities and the one or more portions of the network traffic, wherein each activity profile includes features based on the one or more metrics, the plurality of entities, or the one or more portions of the network traffic; determining one or more other activity profiles that correlate with the one or more activity profiles based on one or more correlation models; monitoring one or more other portions of the network traffic associated with the one or more other activity profiles, wherein the determination of the one or more other activity profiles occurs separate from the monitoring of the one or more other portions of the network traffic that are associated with the one or more other activity profiles; modifying one or more actions of the monitoring engine based on the one or more other activity profiles; and providing one or more reports based on the one or more portions of the network traffic, the one or more activity profiles, the one or more other portions of the network traffic, or the one or more other activity profiles, wherein the one or more reports are provided to one or more users. 2. The method of claim 1 , wherein modifying the one or more actions of the monitoring engine, further comprises, modifying the monitoring of the network traffic based on the one or more other activity profiles, wherein the modifications include collecting one or more additional metrics associated with the one or more other portions of the network traffic that are associated with the one or more other activity profiles. 3. The method of claim 1 , wherein the inference engine performs further actions, including, associating the one or more portions of the network traffic with the one or more activity profiles based on the one or more portions of the network traffic matching one or more of the features that are associated with the one or more activity profiles. 4. The method of claim 1 , wherein providing the one or more activity profiles, further comprises, matching the one or more portions of the network traffic to the one or more activity profiles based on one or more characteristics of the one or more portions of the network traffic, wherein the one or more characteristics include one or more of network flow features, packet size, bit rate of the network traffic, communication protocol, encryption status, encryption state, encryption version, encryption type, encryption cipher, error rate, device relations based on one or more device relation models, time-of-day, day-of-week, user, user group, source tuple information, destination tuple information, application type, service type, payload or header content, or geolocation information. 5. The method of claim 1 , wherein the inference engine performs further actions, including, training the one or more correlation models based on the network traffic and the one or more activity profiles, wherein the one or more correlation models provide correlations that predict a likelihood of the occurrence of the one or more other portions of network traffic subsequent to the occurrence of the one or more portions of the network traffic based on one or more dependencies associated with the one or more activity profiles and the one or more other activity profiles. 6. The method of claim 1 , wherein the inference engine performs further actions, including: determining a score for each of the one or more correlation models based on the occurrence of the one or more other portions of network traffic subsequent to the one or more portions of the network traffic; determining the one or more correlation models that require re-training based on the determined score having a value that is below a threshold value; and re-training the one or more determined correlation models based on the network traffic. 7. The method of claim 1 , wherein providing the one or more activity profiles, further comprises, providing computer readable instructions that are executed to enforce one or more matching rules or filter rules that are associated with the one or more activity profiles, wherein the one or more matching rules or filter rules include one or more of regular expressions, one or more compound rules, one or more cascading rules, or one or more sub-rules. 8. The method of claim 1 , wherein providing the one or more reports, further comprises, one or more of detecting one or more anomalies associated with the one or more activity profiles, identifying one or more capacity planning actions based on the one or more activity profiles, or tracing one or more transactions based on the one or more activity profiles. 9. A processor readable non-transitory storage media that includes instructions for monitoring network traffic using one or more network monitoring computers, wherein execution of the instructions by the one or more network computers perform the method comprising: instantiating a monitoring engine to perform actions, including: monitoring one or more portions of the network traffic that are associated with a plurality of entities in one or more networks to provide one or more metrics; and instantiating an inference engine that performs actions, including: providing one or more activity profiles based on the plurality of entities and the one or more portions of the network traffic, wherein each activity profile includes features based on the one or more metrics, the plurality of entities, or the one or more portions of the network traffic; determining one or more other activity profiles that correlate with the one or more activity profiles based on one or more correlation models; monitoring one or more other portions of the network traffic associated with the one or more other activity profiles, wherein the determination of the one or more other activity profiles occurs separate from the monitoring of the one or more other portions of the network traffic that are associated with the one or more other activity profiles; modifying one or more actions of the monitoring engine based on the one or more other activity profiles; and providing one or more reports based on the one or more portions of the network traffic, the one or more activity profiles, the one or more other portions of the network traffic, or the one or more other activity profiles, wherein the one or more reports are provided to one or more users. 10. The media of claim 9 , wherein modifying the one or more actions of the monitoring engine, further comprises, modifying the monitoring of the network traffic based on the one or more other activity profiles, wherein the modifications include collecting one or more additional metrics associated with the one or more other portions of the network traffic that are associated with the one or more other activity profiles. 11. The media of claim 9 , wherein the inference engine performs further actions, including, associating the one or more portions of the network traffic with the one or more activity profiles based on the one or more portions of the network traffic matching one or more of the features that are associated with the one or more
Assignees
Inventors
Classifications
- H04L41/145Primary
involving simulating, designing, planning or modelling of a network · CPC title
using machine learning or artificial intelligence · CPC title
the condition being an adaptation, e.g. in response to network events · CPC title
Network monitoring probes · CPC title
Processing captured monitoring data, e.g. for logfile generation · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10411978B1 cover?
- Embodiments are directed to monitoring network traffic using a monitoring engine that monitors network traffic in networks to provide metrics. An inference engine may provide activity profiles based on portions of the network traffic where each activity profile includes features associated with the portions of network traffic. The inference engine may determine other activity profiles correlate…
- Who is the assignee on this patent?
- Extrahop Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L41/145. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Sep 10 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).