Creating aggregate network flow time series in network anomaly detection systems
US-2019306183-A1 · Oct 3, 2019 · US
Creating aggregate network flow time series in network anomaly detection systems
US11606381B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11606381-B2 |
| Application number | US-202217684488-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 2, 2022 |
| Priority date | Mar 31, 2017 |
| Publication date | Mar 14, 2023 |
| Grant date | Mar 14, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In an embodiment, a computer implemented method receives flow data for one or more flows that correspond to a device-circuit pair. The method calculates a time difference for each flow that corresponds to a device-circuit pair. Based on the calculated time differences and the received flow data, the method updates a probability distribution model associated with the device-circuit pair. Then, the method determines whether a time bucket is complete or open based on the updated probability distribution model.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer implemented method for processing a network flow with a device-circuit pair, comprising: obtaining, by a server, a probability distribution model associated with the device-circuit pair, the probability distribution model indicating, for different time differences of prior network flows through the device-circuit pair, corresponding numbers of occurrences; determining, by the server, a duration of a time bucket according to the probability distribution model associated with the device-circuit pair; determining, by the server, whether to ignore the network flow according to the duration of the time bucket; and detecting, by the server, a network anomaly associated with the device-circuit pair according to the determination of whether to ignore the network flow, wherein each of the time differences is a difference between i) a start time or an end time of a corresponding prior network flow at one of the device-circuit pair and ii) a file stamp time of the corresponding prior network flow received by the server. 2. The method of claim 1 , wherein determining the duration of the time bucket according to the probability distribution model associated with the device-circuit pair includes: determining, by the server, a time delay value according to the probability distribution model; and extending, by the server, an end time of the time bucket according to the time delay value. 3. The method of claim 2 , wherein determining the time delay value according to the probability distribution model includes: determining, by the server, the time delay value as a function of a standard deviation value and a mean value of the probability distribution model. 4. The method of claim 1 , wherein determining whether to ignore the network flow according to the duration of the time bucket includes: determining, by the server, to ignore the network flow, in response to the network flow received by the server after the duration of the time bucket. 5. The method of claim 4 , wherein detecting the network anomaly associated with the device-circuit pair according to the determination of whether to ignore the network flow includes: detecting the network anomaly associated with the device-circuit pair without the network flow. 6. The method of claim 1 , wherein determining whether to ignore the network flow according to the duration of the time bucket includes: determining, by the server, to incorporate the network flow, in response to the network flow received by the server within the duration of the time bucket. 7. The method of claim 6 , wherein detecting the network anomaly associated with the device-circuit pair according to the determination of whether to ignore the network flow includes: detecting the network anomaly associated with the device-circuit pair with the network flow. 8. A system for processing a network flow with a device-circuit pair, comprising: one or more processors; and a non-transitory computer readable medium storing instructions when executed by the one or more processors cause the one or more processors to: obtain a probability distribution model associated with the device-circuit pair, the probability distribution model indicating, for different time differences of prior network flows through the device-circuit pair, corresponding numbers of occurrences, determine a duration of a time bucket according to the probability distribution model associated with the device-circuit pair, determine whether to ignore the network flow according to the duration of the time bucket, and detect a network anomaly associated with the device-circuit pair according to the determination of whether to ignore the network flow, wherein each of the time differences is a difference between i) a start time or an end time of a corresponding prior network flow at one of the device-circuit pair and ii) a file stamp time of the corresponding prior network flow received by a server. 9. The system of claim 8 , wherein the instructions that cause the one or more processors to determine the duration of the time bucket according to the probability distribution model associated with the device-circuit pair include instructions when executed by the one or more processors cause the one or more processors to: determine a time delay value according to the probability distribution model; and extend an end time of the time bucket according to the time delay value. 10. The system of claim 9 , wherein the instructions that cause the one or more processors to determine the time delay value according to the probability distribution model include instructions when executed by the one or more processors cause the one or more processors to: determine the time delay value as a function of a standard deviation value and a mean value of the probability distribution model. 11. The system of claim 8 , wherein the instructions that cause the one or more processors to determine whether to ignore the network flow according to the duration of the time bucket include instructions when executed by the one or more processors cause the one or more processors to: determine to ignore the network flow, in response to the network flow received by the system after the duration of the time bucket. 12. The system of claim 11 , wherein the instructions that cause the one or more processors to detect the network anomaly associated with the device-circuit pair according to the determination of whether to ignore the network flow include instructions when executed by the one or more processors cause the one or more processors to: detect the network anomaly associated with the device-circuit pair without the network flow. 13. The system of claim 8 , wherein the instructions that cause the one or more processors to determine whether to ignore the network flow according to the duration of the time bucket include instructions when executed by the one or more processors cause the one or more processors to: determine to incorporate the network flow, in response to the network flow received by the system within the duration of the time bucket. 14. The system of claim 13 , wherein the instructions that cause the one or more processors to detect the network anomaly associated with the device-circuit pair according to the determination of whether to ignore the network flow include instructions when executed by the one or more processors cause the one or more processors to: detect the network anomaly associated with the device-circuit pair with the network flow. 15. A non-transitory computer readable medium for processing a network flow with a device-circuit pair, the non-transitory computer readable medium storing instructions when executed by one or more processors cause the one or more processors to: obtain a probability distribution model associated with the device-circuit pair, the probability distribution model indicating, for different time differences of prior network flows through the device-circuit pair, corresponding numbers of occurrences; determine a duration of a time bucket according to the probability distribution model associated with the device-circuit pair; determine whether to ignore the network flow according to the duration of the time bucket; and detect a network anomaly associated with the device-circuit pair according to the determination of whether to ignore the network flow, wherein each of the time differences is a difference between i) a start time or an end time of a corresponding prior network flow at one of the device-circuit pair and ii) a file stamp time of the corresponding prior network flow
Assignees
Inventors
Classifications
Denial of Service · CPC title
Probabilistic graphical models, e.g. probabilistic networks · CPC title
related to network traffic · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Machine learning · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11606381B2 cover?
- In an embodiment, a computer implemented method receives flow data for one or more flows that correspond to a device-circuit pair. The method calculates a time difference for each flow that corresponds to a device-circuit pair. Based on the calculated time differences and the received flow data, the method updates a probability distribution model associated with the device-circuit pair. Then, t…
- Who is the assignee on this patent?
- Level 3 Communications Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Mar 14 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).