| CPC H04L 41/064 (2013.01) [H04L 41/0681 (2013.01); H04L 41/0816 (2013.01); H04L 41/147 (2013.01); H04L 41/16 (2013.01)] | 16 Claims |
|
1. A method comprising:
receiving, at a computing device from a plurality of network devices in a network, network data collected by the plurality of network devices;
determining, from the network data, a time series of statistics for each of the plurality of network devices;
aggregating, at the computing device, the time series of statistics for each of the plurality of network devices to produce an aggregated time series of statistics;
detecting, at the computing device, an anomaly in the network based on the aggregated time series of statistics, the anomaly having an associated anomaly time period; and
determining, at the computing device, that a first network device of the plurality of network devices is related to the anomaly using a temporal method that uses curves of statistics within the associated anomaly time period to determine that a curve of the time series of statistics for the first network device is more correlated to a curve of the aggregated time series of statistics than curves of the time series of statistics for other network devices of the plurality of network devices within the associated anomaly time period.
|