US Patent 10050987 Real-time anomaly detection in a network using state transitions

Real-time anomaly detection in a network using state transitions. In one embodiment, a method may include identifying a sequence of messages sent between a first network node and a second network node over a network link. The method may further include identifying a sequence of message states for the sequence of messages. The method may also include identifying variable-length candidate patterns in the sequence of message states. The method may further include adding the candidate patterns to a baseline pattern store. The method may also include comparing a real-time sequence of messages to patterns in the baseline pattern store to detect anomalies in the real-time sequence of messages. The method may further include, in response to the detecting of the anomalies, alerting a security action on one or more of the first network node, the second network node, and the network link using the detected anomalies.