Computing networks can include multiple network devices such as servers, desktop PCs, laptops, workstations, PDA's, and wireless phones, among other peripheral devices, e.g., printers, facsimile devices, and scanners, networked together across a local area network (LAN) and/or wide area network (WAN). A LAN and/or WAN uses clients and servers that have network-enabled operating systems such as Windows, Mac, Linux, and Unix. An example of a client includes a user's workstation. The servers can hold programs and data that are shared by the clients in the computing network.
A networking operating system implements protocol stacks and device drivers for networking hardware. One example of a protocol stack includes the open system interconnection (OSI) model. The OSI model is an ISO standard for worldwide communications that defines a framework for implementing protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in one station, and proceeding to the bottom layer, over the channel to the next station and back up the hierarchy. Most of the functionality in the OSI model exists in all communications systems, although two or three OSI layers may be incorporated into one. Other protocol stack models include that used in transmission control protocol/internet protocol (TCP/IP) as well as the signaling system 7 (SS7) model as the same are known and understood by those of ordinary skill in the art.
A network device having processor logic and memory, such as the network devices described herein, includes an operating system layer and an application layer to enable the device to perform various functions or roles. The operating system layer includes a master control program that runs the network device. As understood by one of ordinary skill in the art, the master control program provides task management, device management, and data management, among others. The operating system layer communicates with program applications running thereon through a number of APIs. The APIs include a language and/or message format used by an application program to communicate with the operating system. The language and/or message format of the APIs allow an operating system to interpret executable instructions received from program applications in the application layer and return results to applications.
As mentioned above, network devices in a LAN and/or WAN include hardware components, such as trunk lines, switches, routers, hubs, wireless access points, servers, and databases. LANs and/or WANs can also include software, application modules, firmware, and other computer executable instructions operable thereon.
Network devices such as switches, hubs, routers, and wireless access points, for example, are used to distribute and restrict traffic within workgroups of a network. Network devices can also provide filtering of inter or intra network traffic for security purposes and policy management. These sorts of network device functionality can also be incorporated into other devices within a network environment, such a file server, a load balancing device or other such network appliance.
Managing network communication between network devices in the network can be provided by various network protocols including, but not limited to, simple network management protocol (SNMP), common management information protocol (CMIP), distributed management environment (DME), extensible markup language (XML), telnet protocol, and internet control message protocol (ICMP) to name a few. ICMP is a TCP/IP protocol used to send error and control messages. A network device may use ICMP to notify a sender that its destination node is not available. For example, a ping utility sends ICMP echo requests to verify the existence of an IP address. The ping is used to identify a network device status, e.g., whether the network device is up or down.
Any number of network devices, such as those mentioned above, may be included in a network. In some situations, network devices can go offline or malfunction. Additionally, network devices and computing networks can come under attack from outside sources such as malicious code, e.g., worms and viruses, and malicious users, e.g., port scanners, denial of service attacks and the like. In such cases, the integrity of network devices can be compromised, e.g., sensitive information disclosed, backdoors planted, and availability of a computing network can be severely to catastrophically degraded. A router is one example of a good sensing point to track unusual or abnormal network data traffic and/or behavior although other sensing points such as switches, access points, or other network infrastructure devices may also be used. Routers may be set with a predetermined threshold to limit logical network-level connections to a network device or destination endpoint. However, such static thresholds do not accommodate valid random events. Some computing networks employ program applications which use linear feedback algorithms as part of managing network communications. Again, similar to the static thresholds in routers, such linear feedback algorithms do not accommodate valid random network events. As a result, such approaches can produce a measurable occurrence of false positive, e.g., network flag/alarm signals when they are inappropriate, as well as missed events or false negatives, e.g., no indication of network flag/alarm signals when they are indeed appropriate. Further, linear feedback algorithms are unable to estimate data traffic and/or event rate or number for future events, e.g., such program applications do not learn from network activity and are reactive rather than proactive.