METHOD AND SYSTEM TO DYNAMICALLY DETECT TRAFFIC ANOMALIES IN A NETWORK

摘要

Methods implemented in a network are disclosed for dynamically distributing tasks of traffic anomaly monitoring and detecting traffic anomalies. The method starts collecting traffic statistics of large blocks of traffic flows as traffic aggregates. Based on the traffic statistics of traffic aggregates, a traffic anomaly is detected. Then for a traffic aggregate with a traffic anomaly, increased traffic sampling rate is applied to a smaller set of traffic flows within the traffic aggregate. If the smaller set of traffic flows does not contain a percentage of the traffic within the traffic aggregate, the sampling rate is further increase to an even smaller set of traffic flows until a small set of traffic flows are identified as the ones cause the traffic anomaly.

主权项

1. A method implemented in a network, wherein the network contains network devices, wherein traffic flows transmit through a number of network devices of the network, the method comprising:
dividing traffic flows of the network into a plurality of traffic aggregates, wherein each traffic aggregate contains one or more traffic flows, and wherein each traffic aggregate is an entry of a first set for monitoring; and for each entry of the first set for monitoring,
collecting a second set of one or more network devices from the network devices of the network to monitor the entry, wherein the second set of one or more network devices processes traffic flows contained within the entry; andselecting one network device from the second set of one or more network devices to monitor the entry for a traffic anomaly, wherein the selecting one network device from the second set of one or more network devices is at least partially based on a monitor count of the network device, and wherein the monitor count of the network device is a count of a number of entries of the first set for monitoring that the network device is assigned to monitor.