US 11,943,126 B1
Using a traffic monitoring service to detect traffic pattern shifts
Carlos Oliveira, Wellington, FL (US); Harpreet Ahluwalia, Holmdel, NJ (US); and Tzuu-Yi Wang, Newtown, PA (US)
Assigned to AT&T Intellectual Property I, L.P., Atlanta, GA (US)
Filed by AT&T Intellectual Property I, L.P., Atlanta, GA (US)
Filed on Oct. 26, 2022, as Appl. No. 17/973,946.
Int. Cl. H04L 43/0876 (2022.01); H04L 43/026 (2022.01); H04L 43/062 (2022.01)
CPC H04L 43/0876 (2013.01) [H04L 43/026 (2013.01); H04L 43/062 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A system comprising:
a processor; and
a memory that stores computer-executable instructions that, when executed by the processor, cause the processor to perform operations, the operations comprising:
obtaining netflow data for a plurality of core routers associated with a network and routing data associated with the plurality of core routers, the routing data being obtained from an interface inventory and a routing table;
generating, based on the netflow data and the routing data, an augmented traffic matrix;
performing, on the augmented traffic matrix, a router-level analysis to identify, among the plurality of core routers, a pair of core routers that are associated with a traffic pattern shift in the network, wherein the router-level analysis comprises:
selecting, from the plurality of core routers, the pair of core routers;
generating a daily time series for the pair of core routers, the daily time series comprising router-level utilizations of the pair of core routers for a particular hour of a day, wherein the router-level utilizations of the pair of core routers comprise proportions of traffic between the pair of core routers relative to all traffic in the network;
calculating a standard deviation and an autoregressive integrated moving average confidence interval for the router-level utilizations of the pair of core routers;
determining if, for the daily time series for the particular hour of the day, an hourly router-level utilization of the pair of core routers exceeds the standard deviation from an average utilization for the pair of core routers by a specified factor;
if a determination is made that the hourly router-level utilization of the pair of core routers exceeds the standard deviation from the average utilization for the pair of core routers by the specified factor, determining if the hourly router-level utilization of the pair of core routers exceeds the autoregressive integrated moving average confidence interval for the utilizations of the pair of core routers; and
if a determination is made that the hourly router-level utilization of the pair of core routers exceeds the autoregressive integrated moving average confidence interval for the utilizations of the pair of core routers, marking the pair of core routers as responsible for the traffic pattern shift in the network;
performing, on the pair of core routers, an entity-level analysis to identify, among a plurality of entities, an entity that is responsible for the traffic pattern shift in the network; and
outputting traffic shift data that identifies the pair of core routers and the entity that is responsible for the traffic pattern shift in the network.