US Patent 7969893 List-based alerting in traffic monitoring

A technique for identifying deviations in patterns of data traffic between host devices communicating over a network involves establishing a baseline traffic distribution by categorizing data traffic during a learning period. The baseline traffic distribution includes a list of categories and a metric value and a measure of variability of the metric value for each category in the list. An observed traffic distribution is generated by categorizing data traffic during an observation period. The observed traffic distribution includes a list of categories and a metric value associated with each category in the list. An alarm is generated in response to at least one of the metric values of the categories of the observed traffic distribution deviating significantly from the corresponding metric value in the baseline traffic distribution based on a pair-wise comparison of the observed metric values with respective thresholds established for corresponding categories of the baseline traffic distribution.