The monitoring of networks and their constituent machines to detect and isolates intrusions, faults, crashes, and other conditions is known. In large-scale networks and other settings, various network management platforms exist that can monitor and capture a steady stream of data points related to the operation of a network. Those data points can include, for example, the type, number, frequency, and distribution of machine crashes or other faults, the number and type of attempted intrusions, the identity of any detected viruses or other malicious software, and other operational network data.
Under existing management platforms, the record of network activity logged by network management servers can be examined, in real time or historically, to locate patterns or trends in that data that may indicate performance, security, or other issues. In existing platforms, the data may in general only be examined, or reports may only be run, on trends that show an increase or decrease over unit time. However, some trends, patterns, or events may only reveal themselves or more clearly be revealed, from the change in rate (positive or negative) at which those events occur. For instance, if the rate at which attempted intrusions are occurring is increasing at an increasing rate, or accelerating, that indicator may be more significant than detecting a mere increase in that type of event. Similarly, if the rate of acceleration of certain events is changing, or jerking, that indicator may reveal other patterns or events that other, lower order trend lines do not make clear.
Further, in the tracking performed by existing network management platforms, the correlation between multiple higher-order trend lines, including in their time sequence of occurrence, is not taken into account. For instance, a trend line for attempted intrusions whose rate of jerk peaks in the same time period that regular network maintenance is performed may reveal a concerted attempt to enter the network at a time when defensive resources may be compromised. It may be desirable to provide systems and methods for detecting network conditions based on a correlation between trend lines, in which higher order derivatives of trends, and/or a temporal correlation between multiple trends and/or their derivatives, can be employed to sensitively detect anomalous network event signatures.