As local networking fabrics interact with the Internet and cyber attacks continue to grow to threaten use of the fabrics, many entities including corporations, governments, or militaries seek to detect anomalies associated with their fabrics. Unfortunately, known anomaly detection techniques fail to adequately cover the full fabric or provide sufficient capabilities to detect subtle intrusions. Consider the following previous efforts directed to detecting attacks.
U.S. Pat. No. 7,234,168 to Gupta titled “Hierarchy-Based Method and Apparatus for Detecting Attacks on a Computer System”, filed Jun. 13, 2002, describes classifying intrusions according to a hierarchy, then traversing the hierarchy to identify a type of attack and determine possible counter measures.
U.S. Pat. No. 7,793,138 to Rastogi et al. titled “Anomaly Detection for Storage Traffic in a Data Center”, filed Dec. 21, 2005, discusses detection of deviations from traffic in a storage area network where the deviations can indicate an anomaly type.
U.S. patent application publication 2007/0064617 to Reyes titled “Traffic Anomaly Analysis for the Detection of Aberrant Network Code”, filed Sep. 16, 2005, describes monitoring traffic from various nodes in a network to determine if the nodes have been infected by aberrant code.
U.S. Pat. No. 7,779,119 to Ginter et al. titled “Event Monitoring and Management” filed May 30, 2007, describes using agents in a network to report data on network activity. When a signature matches an alarm condition a notification can be sent.
Unless the context dictates the contrary, all ranges set forth herein should be interpreted as being inclusive of their endpoints and open-ended ranges should be interpreted to include commercially practical values. Similarly, all lists of values should be considered as inclusive of intermediate values unless the context indicates the contrary.
Although the above references are useful in monitoring network data, they fail to address several key points. First, sending raw data throughout the network is consumptive of time and bandwidth. Second, simply comparing a set of parameters against a static list of conditions leaves gaps in intrusion detection because new threats might not yet be defined by previously defined conditions.
What has yet to be appreciated is that an anomaly can relate to multiple, possibly correlated, behaviors rather than multiple individual metrics. A better approach to would be to monitor a fabric behavior with respect to a vector of behavior metrics where the metrics can be weakly correlated, strongly correlated, or lack correlation. Furthermore, detection criteria for detecting an anomaly based on the vector can be disaggregated and sent among relevant networking nodes. It has also yet to be appreciated that it is unnecessary to aggregate raw data to determine if an anomaly has occurred, is occurring, or is about to occur. Each network node can locally monitor one or more vectors of behavior metrics relating to an anomaly criterion. When the criterion is satisfied, the node can report a criterion status rather than sending bulk raw data.
Thus, there is still a need for method of detecting anomalies in a network fabric.