초록 ▼

A system for identifying extreme behavior in elements of a network comprises a profiler and a collator. The profiler and the collator perform a method of identifying extreme behavior in the network elements. The profiler maintains one or more group profiles of network elements. Each group profile

A system for identifying extreme behavior in elements of a network comprises a profiler and a collator. The profiler and the collator perform a method of identifying extreme behavior in the network elements. The profiler maintains one or more group profiles of network elements. Each group profile is associated with a plurality of network elements. The profiler accumulates values of a first function of the contents of an input data stream over a first period of time for each group profile. The input data stream includes at least one field containing a network element reference. The accumulated values of each group profile are compared with a corresponding collation threshold. The collator creates a collation instance for each group profile that reaches the collation threshold. Each collation instance creates a plurality of collation profiles. Each collation profile is associated with one or more network elements from the plurality of network elements corresponding to the group profile that caused the creation of the collation instance. The collator instance accumulates values of a second function of the contents of the input data stream for each collation profile over a second period of time. Extreme behavior of network elements is identified from the accumulated values of the collation profiles.

대표청구항 ▼

The invention claimed is: 1. A method of identifying abnormal behavior in activity occurring over a network comprising a plurality of network elements, each network element having a network element identifier, the method comprising: maintaining one or more group profiles of network activity, each g

The invention claimed is: 1. A method of identifying abnormal behavior in activity occurring over a network comprising a plurality of network elements, each network element having a network element identifier, the method comprising: maintaining one or more group profiles of network activity, each group profile being associated with a plurality of network element identifiers; accumulating values of a first function of the contents of an input data stream over a first period of time in each group profile so as to profile the behavior of a respective first portion of the network corresponding to the network element identifiers associated with the respective group profile, the contents of the data stream including at least one field containing a network element identifier and other information related to activity over the respective network element having the respective network element identifier; comparing the accumulated values of each group profile with a corresponding collation threshold and determining whether each group profile at least reaches the corresponding collation threshold; creating a plurality of collation profiles for each group profile that reaches the collation threshold, each collation profile being associated with one or more network element identifiers from the plurality of network element identifiers corresponding to the group profile that caused the creation of the corresponding collation profiles; accumulating values of a second function of the contents of the input data stream in each collation profile over a second period of time so as to profile behavior of a respective second portion of the network corresponding to one or more of the network element identifiers associated with the respective collation profile; and identifying abnormal behavior in activity over each second portion of the network by checking whether each of the accumulated values of the collation profiles meets an abnormal behavior criterion. 2. A method according to claim 1, wherein each collation threshold is calculated as a configurable function of a configurable number of previous group profiles for the corresponding plurality of network element identifiers. 3. A method according to claim 1, wherein each group profile is for a contiguous range of network element identifiers. 4. A method according to claim 1, wherein a collation profile is created for each of the network element identifiers associated with the group profile that reached the collation threshold. 5. A method according to claim 1, wherein a collation profile is created for a plurality of sub-groups of network element identifiers associated with the group profile that reached the collation threshold. 6. A method according to claim 1, wherein the first function does not modify the data in the data stream. 7. A method according to claim 1, wherein the first function is a fraud risk assessment function. 8. A method according to claim 1,wherein the second function is the same as the first function. 9. A method according to claim 1, wherein the second function is a fraud risk assessment function. 10. A method according to claim 1, wherein the first period of time is longer than the second period of time. 11. A method according to claim 1, wherein the first period of time is an integer multiple of the second period of time. 12. A method according to claim 1, wherein the collation profiles are sorted into descending order at the end of the second period. 13. A method according to claim 12, wherein abnormal behavior of the network is identified from the sorted list of collation profiles. 14. A method according to claim 13, wherein abnormal behavior is identified by looking for the first pair of contiguous collation profiles with a difference between them that is larger than the value of the smaller of the two contiguous collation profiles. 15. A method according to claim 14, wherein an alert is created for the collation profiles which are identified as reflecting abnormal behavior. 16. A method according to claim 1, wherein each collation instance is deleted at the end of the second period and wherein new collation profiles are created for group profiles that reach the corresponding collation threshold. 17. A method according to claim 1, wherein if a collation profile does not identify abnormal behavior at the end of the second period of time an alert is generated. 18. A method according to claim 15, wherein when an alert is generated, that upon investigation turns out not to be created by abnormal behavior, the collation threshold of the group profile corresponding to the collation instance that generated the alert is adjusted by a configurable amount so as to be less sensitive. 19. A method according to claim 1, wherein the collation threshold is temporarily adjusted to take into account known abnormal periods. 20. A method according to claim 1, wherein the corresponding network element identifiers of specific network elements that are expected to have erratic activity are excluded from the group profiles. 21. A system for identifying abnormal behavior in activity occurring over a network comprising a plurality of elements, each network element having a network element identifier, the system comprising: a profiler arranged to maintain a plurality of group profiles of network activity, each group profile being associated with a plurality of network element identifiers and comprising accumulated values of a first function of the contents of an input data stream over a first period of time so as to profile behavior of a respective first portion of the network corresponding to network element identifiers associated with the respective group profile, the input data stream comprising at least one field which contains a network element identifier and other information related to activity over the respective network elements having the respective network element identifier, wherein the profiler is configured to compare the accumulated values of each group profile with a corresponding collation threshold and determine whether each group profile at least reaches the corresponding collation threshold; and a collator configured to create collation instances, the collator configured to only create a collation instance when the profiler determines from the comparison of each accumulated value with the corresponding collation threshold that the corresponding collation threshold has been reached, the collator being configured such that each collation instance creates a collation profile for one or more network element identifiers from the plurality of network identifiers, each collation profile comprising accumulated values of a second function of the contents of the input data stream over a second configurable period of time so as to profile behavior of a respective second portion of the network corresponding to network element identifiers associated with the respective collation profile, wherein the collator is further configured to identify abnormal behavior by checking whether each of the accumulated values of each collation profile meets an abnormal behavior criterion. 22. The method of claim 1, wherein the other information in the data stream comprises at least one of the following: a call duration, a repeated call type, a repeated call destination, call costs, and an identity of switches used to route a data stream around the network. 23. The system of claim 21, wherein the other information in the data stream comprises at least one of the following: a call duration, a repeated call type, a repeated call destination, and an identity of switches used to route a data stream around the network. 24. A system for identifying abnormal behavior in activity occurring over a network comprising a plurality of network elements, each network element having a network element identifier, the system comprising: means for maintaining one or more group profiles of network activity, each group profile being associated with a plurality of network element identifiers; means for accumulating values of a first function of the contents of an input data stream over a first period of time in each group profile so as to profile behavior of a respective first portion of the network corresponding to the network element identifiers associated with the respective group profile, the contents of the data stream including at least one field containing a network element identifier and other information related to the activity over the respective network elements having the respective network element identifier; means for comparing the accumulated values of each group profile with a corresponding collation threshold and determining whether each group profile at least reaches the corresponding collation threshold; means for creating a plurality of collation profiles for each group profile that reaches the collation threshold, each collation profile being associated with one or more network element identifiers from the plurality of network element identifiers corresponding to the group profile that caused the creation of the corresponding collation profiles; means for accumulating values of a second function of the contents of the input data stream in each collation profile over a second period of time so as to profile behavior of a respective second portion of the network corresponding to one or more of the network element identifiers associated with the respective collation profile; and means for identifying abnormal behavior in activity over each second portion of the network by checking whether each of the accumulated values of the collation profiles meets an abnormal behavior criterion. 25. One or more processor readable storage devices having processor readable code embodied on the processor readable storage devices, the processor readable code for programming one or more processors to perform a method of identifying abnormal behavior in activity occurring over a network comprising a plurality of network elements, each network element having a network element identifier, the method comprising: maintaining one or more group profiles of network activity, each group profile being associated with a plurality of network element identifiers; accumulating values of a first function of the contents of an input data stream over a first period of time in each group profile so as to profile behavior of a respective first portion of the network corresponding to the network element identifiers associated with the respective group profile, the contents of the data stream including at least one field containing a network element identifier and other information related to activity over the respective network element having the respective network element identifier; comparing the accumulated values of each group profile with a corresponding collation threshold and determining whether each group profile at least reaches the corresponding collation threshold; creating a plurality of collation profiles for each group profile that reaches the collation threshold, each collation profile being associated with one or more network element identifiers from the plurality of network element identifiers corresponding to the group profile that caused the creation of the corresponding collation profiles; accumulating values of a second function of the contents of the input data stream in each collation profile over a second period of time so as to profile behavior of a respective second portion of the network corresponding to one or more of the network element identifiers associated with the respective collation profile; and identifying abnormal behavior in activity over each second portion of the network from by checking whether each of the accumulated values of the collation profiles meets an abnormal behavior criterion.