Risk information output device, information output system, risk information output method, and recording medium
US-2024414180-A1 · Dec 12, 2024 · US
Systems, apparatus, and methods for network data analysis
US8935383B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-8935383-B2 |
| Application number | US-201113077550-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 31, 2011 |
| Priority date | Dec 31, 2010 |
| Publication date | Jan 13, 2015 |
| Grant date | Jan 13, 2015 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems and methods are disclosed for analyzing network traffic data to detect anomalies in the data and determine their causes. In one implementation, a system includes a processor and a memory. The memory stores instructions that cause the processor to generate a time series of network traffic values. The processor calculates deviation scores for time entries within the time series and detects anomalies in the time series by comparing the deviation score to a predetermined range. If the processor detects an anomaly, it may determine a list of IP addresses of computers on the network that may have caused the anomaly.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for detecting an anomaly on a computer network comprising: generating a time series of network traffic values, wherein each value of the time series of network traffic values comprises a total number of domain name system (DNS) requests made to a DNS server to resolve each DNS request divided by a predetermined time interval; generating a first variance by dividing a sum of the network traffic values of time entries corresponding to a first time-window by the network traffic value of the time series for the time entry; generating a second variance by dividing a sum of the network traffic values of time entries corresponding to a second time-window by the network traffic value of the time series for the time entry; calculating a deviation score for at least one time entry in the time series by dividing the second variance by the first variance; detecting an anomaly at the at least one time entry based on the deviation score; identifying a first group of IP addresses corresponding to the first time-window that corresponds to the at least one time entry where the anomaly occurred; identifying a second group of IP addresses corresponding to the second time-window that corresponds to the at least one time entry where the anomaly occurred; and identifying a third group of IP addresses by comparing the first group of IP addresses to the second group of IP addresses for determining whether one or more of the IP addresses in the third group is responsible for the anomaly. 2. The method according to claim 1 , wherein the deviation score is about 0.5 to 1.5. 3. The method according to claim 1 , wherein the first time-window is larger than the second time-window. 4. The method according to claim 3 , wherein identifying the third group of IP addresses includes: identifying, as the third group of IP addresses, the IP addresses that were included in the second group of IP addresses but were not included in a part of the first group of IP addresses corresponding to a part in the first time-window that does not overlap the second time-window, if the deviation score is greater than 1.5. 5. The method according to claim 4 , further comprising: instructing one or more servers on the computer network not to process request from the one or more IP addresses included in the third group of IP addresses. 6. The method according to claim 3 , wherein identifying the third group of IP addresses includes: identifying, as the third group of IP addresses, the IP addresses that were included in the first group of IP addresses but not included in the second group of IP addresses, if the deviation score is less than 0.5. 7. The method according to claim 1 , wherein the identifying the third group of IP addresses further comprising identifying the third group of IP addresses that have stopped making network requests indicated by a deviation score less than 0.5, wherein the deviation score less than 0.5 indicates that there has been a decrease in an amount of network traffic in the small time-window. 8. The method according to claim 1 , wherein the identifying the third group of IP addresses further comprising identifying the third group of IP addresses that have started making network requests indicated by a deviation score greater than 1.5, wherein the deviation score greater than 1.5 indicates that there has been an increase in an amount of network traffic in the small time-window. 9. A network data analysis system for detecting an anomaly on a computer network comprising: a processor; and a memory coupled to the processor, the memory storing instructions to direct the processor to perform operations comprising: generating a time series of network traffic values, wherein each value of the time series of network traffic values comprises a total number of domain name system (DNS) requests made to a DNS server to resolve each DNS request divided by a predetermined time interval; generating a first variance by dividing a sum of the network traffic values of time entries corresponding to a first time-window by the network traffic value of the time series for the time entry; generating a second variance by dividing a sum of the network traffic values of time entries corresponding to a second time-window by the network traffic value of the time series for the time entry; calculating a deviation score for at least one time entry in the time series by dividing the second variance by the first variance; detecting an anomaly at the at least one time entry based on the deviation score; identifying a first group of IP addresses corresponding to the first time-window that corresponds to the at least one time entry where the anomaly occurred; identifying a second group of IP addresses corresponding to the second time-window that corresponds to the at least one time entry where the anomaly occurred; and identifying a third group of IP addresses by comparing the first group of IP addresses to the second group of IP addresses for determining whether one or more of the IP addresses in the third group is responsible for the anomaly. 10. The network data analysis system according to claim 9 , wherein identifying the third group of IP addresses includes: identifying, as the third group of IP addresses, the IP addresses that were included in the second group of IP addresses but were not included in a part of the first group of IP addresses corresponding to a part in the first time-window that does not overlap the second time-window, if the deviation score is greater than 1.5. 11. The network data analysis system according to claim 10 , the operations performed by the processor further comprising: instructing one or more servers on the computer network not to process requests from the one or more IP addresses included in the third group of IP addresses. 12. The network data analysis system according to claim 9 , wherein the identifying the third group of IP addresses further comprising identifying the third group of IP addresses that have stopped making network requests indicated by a deviation score less than 0.5, wherein the deviation score less than 0.5 indicates that there has been a decrease in an amount of network traffic in the small time-window. 13. The network data analysis system according to claim 9 , wherein the identifying the third group of IP addresses further comprising identifying the third group of IP addresses that have started making network requests indicated by a deviation score greater than 1.5, wherein the deviation score greater than 1.5 indicates that there has been an increase in an amount of network traffic in the small time-window. 14. A computer-readable storage device storing instructions for analyzing network data, the instructions causing one or more computer processors to perform operations, comprising: generating a time series of network traffic values, wherein each value of the time series of network traffic values comprises a total number of domain name system (DNS) requests made to a DNS server to resolve each DNS request divided by a predetermined time interval; generating a first variance by dividing a sum of the network traffic values of time entries corresponding to a first time-window by the network traffic value of the time series for the time entry; generating a second variance by dividing a sum of the network traffic values of time entries corresponding to a second time-window by the network traffic value of the time series for the time entry; calculating a deviation score for at least one time entry in the time series by dividing the second variance by the first variance; detecting an
Assignees
Inventors
Classifications
Tracing the source of attacks · CPC title
Denial of Service · CPC title
Processing captured monitoring data, e.g. for logfile generation · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
using flow identification · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US8935383B2 cover?
- Systems and methods are disclosed for analyzing network traffic data to detect anomalies in the data and determine their causes. In one implementation, a system includes a processor and a memory. The memory stores instructions that cause the processor to generate a time series of network traffic values. The processor calculates deviation scores for time entries within the time series and detect…
- Who is the assignee on this patent?
- Rodriguez John, Verisign Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 13 2015 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).