-
公开(公告)号:US10469511B2
公开(公告)日:2019-11-05
申请号:US15211093
申请日:2016-07-15
Applicant: Cisco Technology, Inc.
Inventor: Jean-Philippe Vasseur , Grégory Mermoud , Javier Cruz Mota , Laurent Sartran , Sébastien Gay
Abstract: In one embodiment, a device in a network receives feedback regarding an anomaly reporting mechanism used by the device to report network anomalies detected by a plurality of distributed learning agents to a user interface. The device determines an anomaly assessment rate at which a user of the user interface is expected to assess reported anomalies based in part on the feedback. The device receives an anomaly notification regarding a particular anomaly detected by a particular one of the distributed learning agents. The device reports, via the anomaly reporting mechanism, the particular anomaly to the user interface based on the determined anomaly assessment rate.
-
公开(公告)号:US10389606B2
公开(公告)日:2019-08-20
申请号:US15211158
申请日:2016-07-15
Applicant: Cisco Technology, Inc.
Inventor: Laurent Sartran , Grégory Mermoud
IPC: H04L12/26 , H04L12/723 , H04L29/06 , H04L29/12 , H04L12/24
Abstract: In one embodiment, a device in a network identifies a plurality of traffic records as anomalous. The device matches each of the plurality of traffic records to one or more anomalies using one or more anomaly graphs. A particular anomaly graph represents hosts in the network as vertices in the graph and communications between hosts as edges in the graph. The device applies one or more ordering rules to the traffic records, to uniquely associate each traffic record to an anomaly in the one or more anomalies. The device sends an anomaly notification for a particular anomaly that is based on the traffic records associated with the particular anomaly.
-
公开(公告)号:US20180241762A1
公开(公告)日:2018-08-23
申请号:US15440116
申请日:2017-02-23
Applicant: Cisco Technology, Inc.
Inventor: Pierre-André Savalle , Grégory Mermoud , Laurent Sartran , Jean-Philippe Vasseur
CPC classification number: H04L63/1425 , G06N20/00 , H04L63/1441 , H04L63/1458 , H04L2463/141 , H04L2463/144
Abstract: In one embodiment, a device in a network receives a notification of a particular anomaly detected by a distributed learning agent in the network that executes a machine learning-based anomaly detector to analyze traffic in the network. The device computes one or more distance scores between the particular anomaly and one or more previously detected anomalies. The device also computes one or more relevance scores for the one or more previously detected anomalies. The device determines a reporting score for the particular anomaly based on the one or more distance scores and on the one or more relevance scores. The device reports the particular anomaly to a user interface based on the determined reporting score.
-
公开(公告)号:US20170279828A1
公开(公告)日:2017-09-28
申请号:US15176652
申请日:2016-06-08
Applicant: Cisco Technology, Inc.
Inventor: Pierre-André Savalle , Grégory Mermoud , Laurent Sartran , Jean-Philippe Vasseur
IPC: H04L29/06
CPC classification number: H04L63/1425 , H04L41/142 , H04L63/0236 , H04L63/1416 , H04L63/1458
Abstract: In one embodiment, a device in a network maintains a plurality of anomaly detection models for different sets of aggregated traffic data regarding traffic in the network. The device determines a measure of confidence in a particular one of the anomaly detection models that evaluates a particular set of aggregated traffic data. The device dynamically replaces the particular anomaly detection model with a second anomaly detection model configured to evaluate the particular set of aggregated traffic data and has a different model capacity than that of the particular anomaly detection model. The device provides an anomaly event notification to a supervisory controller based on a combined output of the second anomaly detection model and of one or more of the anomaly detection models in the plurality of anomaly detection models.
-
公开(公告)号:US12160436B2
公开(公告)日:2024-12-03
申请号:US17677541
申请日:2022-02-22
Applicant: Cisco Technology, Inc.
Inventor: Pierre-André Savalle , Grégory Mermoud , Laurent Sartran , Jean-Philippe Vasseur
IPC: H04L9/40 , H04L41/142
Abstract: In one embodiment, a device obtains characteristics of a first anomaly detection model executed by a first distributed learning agent in a network. The device receives a query from a second distributed learning agent in the network that requests identification of a similar anomaly detection to that of a second anomaly detection model executed by the second distributed learning agent. The device identifies, after receiving the query from the second distributed learning agent, the first anomaly detection model as being similar to that of the second anomaly detection model, based on the characteristics of the first anomaly detection model. The device causes the first anomaly detection model to be sent to the second distributed learning agent for execution.
-
Patent Agency Ranking
公开(公告)号:US11290477B2
公开(公告)日:2022-03-29
申请号:US16894332
申请日:2020-06-05
Applicant: Cisco Technology, Inc.
Inventor: Pierre-André Savalle , Grégory Mermoud , Laurent Sartran , Jean-Philippe Vasseur
IPC: H04L29/06 , H04L41/142
Abstract: In one embodiment, a device obtains characteristics of a first anomaly detection model executed by a first distributed learning agent in a network. The device receives a query from a second distributed learning agent in the network that requests identification of a similar anomaly detection to that of a second anomaly detection model executed by the second distributed learning agent. The device identifies, after receiving the query from the second distributed learning agent, the first anomaly detection model as being similar to that of the second anomaly detection model, based on the characteristics of the first anomaly detection model. The device causes the first anomaly detection model to be sent to the second distributed learning agent for execution.
-
公开(公告)号:US10164991B2
公开(公告)日:2018-12-25
申请号:US15176652
申请日:2016-06-08
Applicant: Cisco Technology, Inc.
Inventor: Pierre-André Savalle , Grégory Mermoud , Laurent Sartran , Jean-Philippe Vasseur
Abstract: In one embodiment, a device in a network maintains a plurality of anomaly detection models for different sets of aggregated traffic data regarding traffic in the network. The device determines a measure of confidence in a particular one of the anomaly detection models that evaluates a particular set of aggregated traffic data. The device dynamically replaces the particular anomaly detection model with a second anomaly detection model configured to evaluate the particular set of aggregated traffic data and has a different model capacity than that of the particular anomaly detection model. The device provides an anomaly event notification to a supervisory controller based on a combined output of the second anomaly detection model and of one or more of the anomaly detection models in the plurality of anomaly detection models.
-
公开(公告)号:US20180152466A1
公开(公告)日:2018-05-31
申请号:US15364440
申请日:2016-11-30
Applicant: Cisco Technology, Inc.
Inventor: Laurent Sartran , Sébastien Gay , Jean-Philippe Vasseur , Grégory Mermoud
IPC: H04L29/06
Abstract: In one embodiment, a device in a network obtains characteristic data regarding one or more traffic flows in the network. The device incrementally estimates an amount of noise associated with a machine learning feature using bootstrapping. The machine learning feature is derived from the sampled characteristic data. The device applies a filter to the estimated amount of noise associated with the machine learning feature, to determine a value for the machine learning feature. The device identifies a network anomaly that exists in the network by using the determined value for the machine learning feature as input to a machine learning-based anomaly detector. The device causes performance of an anomaly mitigation action based on the identified network anomaly.
-
9.发明申请公开(公告)号:US20180077182A1
公开(公告)日:2018-03-15
申请号:US15263487
申请日:2016-09-13
Applicant: Cisco Technology, Inc.
Inventor: Laurent Sartran , Sébastien Gay , Pierre-André Savalle , Grégory Mermoud , Jean-Philippe Vasseur
IPC: H04L29/06
CPC classification number: H04L63/1425 , H04L41/16 , H04L43/04 , H04L43/12
Abstract: In one embodiment, a device in a network receives traffic records indicative of network traffic between different sets of host address pairs. The device identifies one or more address grouping constraints for the sets of host address pairs. The device determines address groups for the host addresses in the sets of host address pairs based on the one or more address grouping constraints. The device provides an indication of the address groups to an anomaly detector.
-
公开(公告)号:US20170279694A1
公开(公告)日:2017-09-28
申请号:US15211158
申请日:2016-07-15
Applicant: Cisco Technology, Inc.
Inventor: Laurent Sartran , Grégory Mermoud
IPC: H04L12/26 , H04L29/06 , H04L29/12 , H04L12/723
CPC classification number: H04L43/08 , H04L41/14 , H04L43/045 , H04L43/062 , H04L45/50 , H04L47/2483 , H04L61/6022 , H04L67/42
Abstract: In one embodiment, a device in a network identifies a plurality of traffic records as anomalous. The device matches each of the plurality of traffic records to one or more anomalies using one or more anomaly graphs. A particular anomaly graph represents hosts in the network as vertices in the graph and communications between hosts as edges in the graph. The device applies one or more ordering rules to the traffic records, to uniquely associate each traffic record to an anomaly in the one or more anomalies. The device sends an anomaly notification for a particular anomaly that is based on the traffic records associated with the particular anomaly.
-
-
-
-
-
-
-
-
-
Search Results
27
records
(took 0.014 seconds)
