Claims
- 1. A computer implemented method to assign nodes in a network to groups of nodes, comprises:
grouping nodes on a network into groups based on host connection set data by identifying bi-connected components in the host connection set data; and merging groups with similar connection habits as determined by examining the host connection set data into larger groups.
- 2. The method of claim 1 wherein a bi-connected component is a connected component in which any two edges lies in a simple cycle.
- 3. The method of claim 2 wherein grouping comprises:
identifying groups having one or more hosts with similar connection habits.
- 4. The method of claim 3 wherein grouping includes assigning a unique integer identifier to each group.
- 5. The method of claim 1 wherein merging groups comprises:
merging group pairs with similar connection habits to form larger groups.
- 6. The method of claim 5 wherein merging further comprises:
determining whether a minimum similarity threshold is met before two groups are merged to form a larger group.
- 7. The method of claim 1 wherein forming groups produces groups based on observed connection patterns.
- 8. The method of claim 1 wherein grouping uses two types of representations of the network, connectivity graphs and k-neighborhood graphs.
- 9. The method of claim 8 wherein grouping comprises:
representing in a connectivity graph a host and an edge between vertices denoting a one-hop connectivity between the corresponding hosts.
- 10. The method of claim 9 wherein grouping further comprises:
constructing a k-neighborhood graph to identify bi-connected components in the k-neighborhood graph; and when a set of hosts is placed into a group, assigning nodes in one group to a new group by removing vertices representing those hosts from the connectivity graph and replacing the vertices by one vertex representing the entire group.
- 11. The method of claim 1 wherein the grouping is repeated until the groups are large enough.
- 12. The method of claim 1 wherein merging further comprises:
building a k-neighborhood graph from the connection graph; removing group nodes from the connection graph; and generating all bi-connected components in k-neighborhood graph.
- 13. The method of claim 12 wherein for each bi-connected component grouping further comprises:
replacing the nodes in the connection graph by a new group node of those nodes; and labeling a group by a unique identifier and by the degree of similarity between groups.
- 14. The method of claim 13 further comprising:
iteratively examining the connection graph until no ungrouped node remains or the similarity in connection behavior between nodes is zero.
- 15. The method of claim 1 wherein merging merges groups that are similar in connection habits, and considers two groups to be similar if they meet a similarity requirement and a connection requirement.
- 16. The method of claim 15 wherein the similarity requirement is met if the similarity measure between the two groups exceeds user-defined thresholds.
- 17. The method of claim 15 wherein the connection requirement is met if the average number of connections of each group is comparable.
- 18. The method of claim 12 wherein for each group pair that meets the average connection requirement and the similarity requirement, the group merging comprises:
appending a triple (G1, G2, s) to a list of node edges, where s- represents the degree of similarity between groups G1 and G2.
- 19. The method of claim 18 wherein the group merging further comprises:
sorting the list of edges based on their s- values in descending order.
- 20. The method of claim 19 wherein the group merging further comprises:
forming a new group based on G1 and G2 and assigning a number of connection pairs a host in G.
- 21. Apparatus comprises:
a processor; a memory for executing a computer program and a computer readable medium for storing the computer program product for assigning nodes in a network to groups of nodes, comprises instructions for causing a computer to:
group nodes on a network into groups based on host connection set data by identifying bi-connected components in the host connection set data; and merge groups with similar connection habits as determined by examining the host connection set data into larger groups.
- 22. The apparatus of claim 21 wherein a bi-connected component is a connected component in which any two edges lies in a simple cycle.
- 23. The apparatus of claim 21 wherein instructions to group comprises instructions to:
identify groups having one or more hosts with similar connection habits.
- 24. The apparatus of claim 21 wherein instructions to group comprises instructions to:
assign a unique integer identifier to each group.
- 25. The apparatus of claim 21 wherein instructions to merge groups comprises instructions to:
merge group pairs with similar connection habits to form larger groups.
- 26. The apparatus of claim 21 wherein instructions to merge groups comprises instructions to:
determine whether a minimum similarity threshold is met before two groups are merged to form a larger group.
- 27. The apparatus of claim 21 wherein instructions to form groups produces groups based on observed connection patterns.
- 28. The apparatus of claim 21 wherein instructions to group uses two types of representations of the network, connectivity graphs and k-neighborhood graphs.
- 29. The apparatus of claim 28 wherein instructions to group comprises instructions to:
represent in a connectivity graph a host and an edge between vertices denoting a one-hop connectivity between the corresponding hosts.
- 30. The method of claim 29 wherein instructions to group further comprises instructions to:
construct a k-neighborhood graph to identify bi-connected components in the k-neighborhood graph; and when a set of hosts is placed into a group, assign nodes in one group to a new group by removing vertices representing those hosts from the connectivity graph and replacing the vertices by one vertex representing the entire group.
- 31. The apparatus of claim 21 wherein instructions to group repeat until the groups are large enough.
- 32. The apparatus of claim 21 wherein instructions to merge further comprises instructions to:
build a k-neighborhood graph from the connection graph; remove group nodes from the connection graph; and generate all bi-connected components in k-neighborhood graph.
- 33. The apparatus of claim 32 wherein for each bi-connected component instructions to group further comprises instructions to:
replace the nodes in the connection graph by a new group node of those nodes; and label a group by a unique identifier and by the degree of similarity between groups.
- 34. The apparatus of claim 33 further comprising instructions to:
iteratively examining the connection graph until no ungrouped node remains or the similarity in connection behavior between nodes is zero.
- 35. The apparatus of claim 21 wherein instructions to merge merges groups that are similar in connection habits, and considers two groups to be similar if they meet a similarity requirement and a connection requirement.
- 36. A computer program product residing on a computer readable medium for assigning nodes in a network to groups of nodes comprises instructions for causing a computer to:
group nodes on a network into groups based on host connection set data by identifying bi-connected components in the host connection set data; and merge groups with similar connection habits as determined by examining the host connection set data into larger groups.
- 37. The computer program product of claim 36 wherein a bi-connected component is a connected component in which any two edges lies in a simple cycle.
- 38. The computer program product of claim 36 wherein instructions to group comprises instructions to:
identify groups having one or more hosts with similar connection habits.
- 39. The computer program product of claim 36 wherein instructions to group comprises instructions to:
assign a unique integer identifier to each group.
- 40. The computer program product of claim 36 wherein instructions to merge groups comprises instructions to:
merge group pairs with similar connection habits to form larger groups.
- 41. The computer program product of claim 36 wherein instructions to merge groups comprises instructions to:
determine whether a minimum similarity threshold is met before two groups are merged to form a larger group.
- 42. The computer program product of claim 36 wherein instructions to form groups produces groups based on observed connection patterns.
- 43. The computer program product of claim 36 wherein instructions to group uses two types of representations of the network, connectivity graphs and k-neighborhood graphs.
- 44. The computer program product of claim 43 wherein instructions to group comprises instructions to:
represent in a connectivity graph a host and an edge between vertices denoting a one-hop connectivity between the corresponding hosts.
- 45. The computer program product of claim 44 wherein instructions to group further comprises instructions to:
construct a k-neighborhood graph to identify bi-connected components in the k-neighborhood graph; and when a set of hosts is placed into a group, assign nodes in one group to a new group by removing vertices representing those hosts from the connectivity graph and replacing the vertices by one vertex representing the entire group.
- 46. The computer program product of claim 36 wherein instructions to group repeat until the groups are large enough.
- 47. The computer program product of claim 36 wherein instructions to merge further comprises instructions to:
build a k-neighborhood graph from the connection graph; remove group nodes from the connection graph; and generate all bi-connected components in k-neighborhood graph.
- 48. The computer program product of claim 36 wherein for each bi-connected component instructions to group further comprises instructions to:
replace the nodes in the connection graph by a new group node of those nodes; and label a group by a unique identifier and by the degree of similarity between groups.
- 49. The computer program product of claim 48 further comprising instructions to:
iteratively examining the connection graph until no ungrouped node remains or the similarity in connection behavior between nodes is zero.
- 50. The computer program product of claim 36 wherein instructions to merge merges groups that are similar in connection habits, and considers two groups to be similar if they meet a similarity requirement and a connection requirement.
Parent Case Info
[0001] This application claims the benefit of U.S. Provisional Application Serial No. 60/423,557, filed Nov. 04, 2002 entitled “ALGORITHMS FOR NETWORK ANOMALY DETECTION IN THE MAZU NETWORK PROFILER”; U.S. Provisional Application Serial No. 60/427,294, filed Nov. 18, 2002 entitled “ANOMALY DETECTION AND ROLE CLASSIFICATION IN A DISTRIBUTED COMPUTING NETWORK” and U.S. Provisional Application Serial No. 60/429,050, filed Nov. 25, 2002 entitled “ROLE CLASSIFICATION OF HOSTS WITHIN ENTERPRISE NETWORKS BASED ON CONNECTION PATTERNS.”
Provisional Applications (3)
|
Number |
Date |
Country |
|
60423557 |
Nov 2002 |
US |
|
60427294 |
Nov 2002 |
US |
|
60429050 |
Nov 2002 |
US |