US Patent 9584533 Performance enhancements for finding top traffic patterns

A method for network traffic characterization is provided. Flow data records are acquired associated with a security alert signature. Unidimensional traffic clusters are generated based on the acquired data. A Bloom filter is populated with the acquired flow data records. Clusters of interest are identified from the generated unidimensional traffic clusters. The identified clusters of interest are compressed into a compressed set. A determination is made whether a multidimensional processing of the acquired flow data needs to be performed based on a priority associated with the alert signature. A multidimensional lattice corresponding to the unidimensional traffic clusters is generated. The multidimensional lattice is traversed and for each multidimensional node under consideration a determination is made if the Bloom filter contains flow records matching the multidimensional node under consideration. A determination is made if the unidimensional node corresponding to the multidimentional node is included in the compressed set of unidimensional nodes.