| CPC H04L 41/06 (2013.01) [H04L 41/0677 (2013.01); H04L 41/12 (2013.01); H04L 43/50 (2013.01)] | 22 Claims |
|
1. A method of identifying and reporting network anomalies, comprising:
receiving a plurality of routing path messages, the routing path messages indicative of available network paths between network entities;
identifying, based on analyzing the plurality of routing path messages, an anomaly in an available network path, the anomaly causing network traffic between autonomous systems (AS) to follow a different path;
aggregating the plurality of routing path messages defining an anomaly received during a plurality of time intervals;
comparing the anomalies in each time interval of the plurality of time intervals to the anomaly in the others of the plurality of time intervals by:
building a plurality of node structures defining an isolation forest and representative of a set of features derived from the plurality of routing path messages received during a current time interval and a plurality of previous time intervals; and
traversing the node structure built from the plurality of the routing path messages corresponding to the current time interval and a second time interval from the plurality of previous time intervals, the node structures defining a respective plurality of decision trees based on routing paths indicative of a sequence of autonomous systems for satisfying a plurality of routes to a destination;
determining a deviation indicative of an outlier in the traversed node structure corresponding to the current time interval from a traversed node structure corresponding to the second time interval; and
concluding, based on the comparison indicating the outlier, that a difference in the anomalies is indicative of a network disruption.
|