| CPC H04L 41/147 (2013.01) [H04L 41/06 (2013.01); H04L 41/145 (2013.01); H04L 43/04 (2013.01); H04L 43/08 (2013.01); H04L 67/10 (2013.01)] | 20 Claims |
|
1. A method of a computing network implemented in a data processing device comprising a processor communicatively coupled to a memory, comprising:
sampling time series data associated with each network entity of a plurality of network entities of the computing network for each feature thereof into a smaller time interval compared to that of the time series data as a first data series comprising a maximum value of the sampled time series data for the each feature within the smaller time interval and a second data series comprising a minimum value of the sampled time series data for the each feature within the smaller time interval;
generating a reference data band based on:
predicting a first future data set of the each network entity for the each feature based on the first data series and a second future data set of the each network entity for the each feature based on the second data series;
combining the first future data set and the second future data set for each future time interval thereof; and
transforming the combined first future data set and the second future data set for the each future time interval into the reference data band;
based on regarding a maximum of the first future data set as a maximum expected value of the reference data band and a minimum of the second future data set as a minimum expected value of the reference data band, detecting at least one anomaly in real-time data associated with the each network entity for the each feature thereof based on determining whether the real-time data falls outside the maximum expected value and the minimum expected value of the reference data band in accordance with computing a score for the at least one anomaly indicative of anomalousness thereof, the computation of the score involving both relative scoring and absolute deviation scoring, the absolute deviation scoring being based on previous data deviations from reference data bands analogous to the reference data band associated with the each network entity, and the absolute deviation scoring further comprising:
preserving a first discrete data distribution for the each network entity for the each feature for associated anomalies with values higher than the maximum expected value of the reference data band and a second discrete data distribution for the each network entity for the each feature for other associated anomalies with values lower than the minimum expected value of the reference data band, both the first discrete data distribution and the second discrete data distribution having a probability mass function of the previous data deviations from the reference data bands analogous to the reference data band associated with the each network entity; and
computing a cumulative probability utilizing a deviation value of the detected at least one anomaly from the reference data band; and
determining an event associated with a pattern of change of the real-time data associated with the each network entity based on executing an optimization algorithm to determine, among all features of the each network entity, a series of anomalies comprising the detected at least one anomaly that constitutes a sequence of patterned anomalies in accordance with scanning detected anomalies associated with the real-time data associated with the each network entity including the detected at least one anomaly.
|