| 发明名称 | Methods, devices and computer program products for actionable alerting of malevolent network addresses based on generalized traffic anomaly analysis of IP address aggregates | ||
| 摘要 | Methods for providing alerts in a network are disclosed. Some methods include collecting network traffic data corresponding to multiple subsets of network addresses during a predefined time interval. A suspect subset of the subsets of network addresses that corresponds to anomalous network activity may be identified based on the network traffic data and using at least one of multiple anomaly detection metrics. A source network address within the suspect subset of network addresses that corresponds to the anomalous network activity is identified. An alert corresponding to the source network address may be generated. | ||
| 申请公布号 | US8874763(B2) | 申请公布日期 | 2014.10.28 |
| 申请号 | US201012940432 | 申请日期 | 2010.11.05 |
| 申请人 | AT&T Intellectual Property I, L.P. | 发明人 | Ehrlich Willa;Chakka Ratna;Fermon Eric;Hoeflin David;Ortiz Manuel |
| 分类号 | G06F15/16;H04L29/06;H04L12/24 | 主分类号 | G06F15/16 |
| 代理机构 | Myers Bigel Sibley & Sajovec | 代理人 | Myers Bigel Sibley & Sajovec |
| 主权项 | 1. A method for providing alerts in a network, the method comprising: collecting network traffic data corresponding to a plurality of subsets of network addresses during a predefined time interval; generating an event alert corresponding to anomalous network activity based on the network traffic and using the following anomaly detection metrics: determining a total network traffic volume in the predefined time interval;determining a standardized entropy of a distribution of traffic share of the plurality of subsets of network addresses in the predefined time interval; anddetermining a relative entropy of the distribution of traffic share of the plurality of subsets of network addresses in the predefined time interval relative to a baseline distribution of traffic share of respective ones of the plurality of subsets of network addresses; identifying a suspect subset of the plurality of subsets of network addresses that corresponds to anomalous network activity using an odds ratio test that determines whether traffic volume for the suspect subset at a given time is significantly higher than a baseline traffic volume for the suspect subset, and wherein the odds ratio represents odds of the suspect subset having a higher traffic volume at the given time compared to a baseline traffic volume relative to odds of all other ones of the plurality of subsets having higher traffic volumes compared to their respective baseline traffic volumes; and identifying a source network address within the suspect subset of network addresses that corresponds to the anomalous network activity. | ||
| 地址 | Atlanta GA US | ||