Mixture model approach for network forecasting
US-9426036-B1 · Aug 23, 2016 · US
Anomaly detection using device relationship graphs
US9729416B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9729416-B1 |
| Application number | US-201615207213-A |
| Country | US |
| Kind code | B1 |
| Filing date | Jul 11, 2016 |
| Priority date | Jul 11, 2016 |
| Publication date | Aug 8, 2017 |
| Grant date | Aug 8, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Embodiments are directed to monitoring network traffic in a network. A device relation model that may be comprised of two or more nodes and one or more edges stored in memory of the network computer may be provided to a network monitoring computer (NMC), such that each node represents an agent and each edge represents a relationship between two agents. If error signals are detected by the NMC, the NMC perform further actions to process the error signals. The device relation model may be traversed to identify agents associated with the error signals. The network traffic associated with the error signals and the agents may be analyzed by the NMC. If the error signals are associated with anomalies in the network traffic, users may be notified. The device relation model may be updated upon discovery of new computing devices, new applications, or new associations between agents.
First claim
Opening claim text (preview).
What is claimed as new and desired to be protected by Letters Patent of the United States is: 1. A method for monitoring network traffic in a network, wherein one or more processors in a network computer execute instructions to perform actions, comprising: providing a device relation model that is comprised of a graph for two or more nodes and one or more edges stored in memory of the network computer, wherein each node represents an agent and each edge represents a relationship between two agents; and instantiating a network monitoring application to perform actions, including: detecting one or more error signals; employing network traffic from two or more non-associated agents that is correlated to add one or more phantom edges to the device relation model to associate the two or more non-associated agents with each other; traversing the device relation model to identify one or more agents that are associated with the one or more error signals and that are associated with each other in the device relation model; analyzing the network traffic associated with the one or more error signals and the one or more agents to identify a plurality of anomalies that correspond to more than one agent that is associated with a same error signal; reducing an amount of the plurality of anomalies into one or more anomalies based on the graph of the device relation model; and employing the one or more anomalies in the network traffic to update the device relation model and notifying a user of the one or more anomalies in the network. 2. The method of claim 1 , wherein providing the device relation model, further comprises: adding one or more nodes to the device relation model based on the network traffic, wherein the one or more nodes each represent an agent in the network; and adding one or more edges to the device relation model based on the network traffic, wherein the one or more edges correspond to an association between two agents. 3. The method of claim 1 , wherein providing the device relation model further comprises: providing one or more weight values that are associated with the one or more edges, wherein the one or more weight values indicate a strength of an association between two agents; and removing one or more of the one or more edges from the device relation model that are associated with a weight value that is less than a defined threshold. 4. The method of claim 1 , further comprising, updating the device relation model based on the network, wherein the device relation model is updated upon a discovery of one or more of new computing devices in the network, new applications in the network, or new associations between agents. 5. The method of claim 1 , wherein providing the device relation model, further comprises: associating the one or more agents with applications based on their network traffic; and assigning the one or more agents to one or more groups based on their network traffic and their associated applications. 6. The method of claim 1 , wherein analyzing the network traffic further comprises: comparing a portion of the error signals that are associated with one or more of the one or more agents with another portion of the error signals that are associated with one or more other agents of the one or more agents; and associating the one or more error signals with the one or more anomalies of the network traffic based on a result of the comparison. 7. The method of claim 1 , further comprising, when one or more of the one or more anomalies in the network traffic are caused by error signals associated with one or more upstream anomalies, discarding the one or more anomalies caused by the error signals associated with the one or more upstream anomalies. 8. A system for monitoring network traffic in a network comprising: a network computer, comprising: a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including: providing a device relation model that is comprised of a graph for two or more nodes and one or more edges stored in memory of the network computer, wherein each node represents an agent and each edge represents a relationship between two agents; and instantiating a network monitoring application to perform actions, including: detecting one or more error signals; employing network traffic from two or more non-associated agents that is correlated to add one or more phantom edges to the device relation model to associate the two or more non-associated agents with each other; traversing the device relation model to identify one or more agents that are associated with the one or more error signals and that are associated with each other in the device relation model; analyzing the network traffic associated with the one or more error signals and the one or more agents to identify a plurality of anomalies that correspond to more than one agent that is associated with a same error signal; reducing an amount of the plurality of anomalies into one or more anomalies based on the graph of the device relation model; and employing the one or more anomalies in the network traffic to update the device relation model and notifying a user of the one or more anomalies in the network; and a client computer, comprising: a transceiver that communicates over the network; a memory that stores at least instructions; and one or more processors that execute instructions that perform actions, including: providing one or more portions of the network traffic to the network. 9. The system of claim 8 , wherein providing the device relation model, further comprises: adding one or more nodes to the device relation model based on the network traffic, wherein the one or more nodes each represent an agent in the network; and adding one or more edges to the device relation model based on the network traffic, wherein the one or more edges correspond to an association between two agents. 10. The system of claim 8 , wherein providing the device relation model further comprises: providing one or more weight values that are associated with the one or more edges, wherein the one or more weight values indicate a strength of an association between two agents; and removing one or more of the one or more edges from the device relation model that are associated with a weight value that is less than a defined threshold. 11. The system of claim 8 , wherein the network computer's one or more processors execute instructions that perform actions, further comprising, updating the device relation model based on the network, wherein the device relation model is updated upon a discovery of one or more of new computing devices in the network, new applications in the network, or new associations between agents. 12. The system of claim 8 , wherein providing the device relation model, further comprises: associating the one or more agents with applications based on their network traffic; and assigning the one or more agents to one or more groups based on their network traffic and their associated applications. 13. The system of claim 8 , wherein analyzing the network traffic further comprises: comparing a portion of the error signals that are associated with one or more of the one or more agents with another portion of the error signals that are associated with one or more other agents of the one or more agents; and associating the one or more error signals with the one or more anomalies of the network traffic based on a result of the comparison. 14. The system of claim 8 , wherein the network comput
Assignees
Inventors
Classifications
involving simulating, designing, planning or modelling of a network · CPC title
involving logical or physical relationship, e.g. grouping and hierarchies · CPC title
Group management mechanisms (management of multicast group membership H04L12/185; reconfiguring of node membership in a computing system to eliminate errors G06F11/1425) · CPC title
Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP] · CPC title
- H04L43/0823Primary
Errors, e.g. transmission errors · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9729416B1 cover?
- Embodiments are directed to monitoring network traffic in a network. A device relation model that may be comprised of two or more nodes and one or more edges stored in memory of the network computer may be provided to a network monitoring computer (NMC), such that each node represents an agent and each edge represents a relationship between two agents. If error signals are detected by the NMC, …
- Who is the assignee on this patent?
- Extrahop Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L43/0823. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 08 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).