| CPC H04L 63/1425 (2013.01) [H04L 41/145 (2013.01); H04L 61/103 (2013.01); H04L 63/101 (2013.01)] | 20 Claims |
|
1. A computer-implemented method for determining aspects of a network, the method comprising:
receiving traffic data;
determining a plurality of communication connection patterns, wherein each communication connection pattern includes a set of:
a communication source identifier for identifying a communication source, and
a communication destination identifier for identifying a communication destination;
comparing a whitelist with the plurality of communication connection patterns, wherein the whitelist includes a communication connection pattern of traffic data under a normal communication;
assigning, based on the compared plurality of communication connection patterns, an identifier to the plurality of communication connection patterns, wherein the compared communication connection patterns include a new communication connection pattern from the plurality of communication connection pattern not on the white list;
generating, based on the plurality of communication connection patterns with the assigned identifier, a graph feature amount;
assigning the identifier of the plurality of communication connection patterns to the generated graph feature amount;
determining normalcy of the generated graph feature amount using a trained model on graph feature amount based on the communication connection patterns; and
retrieving, from the plurality of communication connection patterns including a new communication connection pattern, the new communication connection pattern corresponding to an identifier of graph feature amount that has been determined as anomaly in communication; and
determining the retrieved new communication connection pattern as a communication causing anomaly.
|