公开(公告)号：US11290331B2

公开(公告)日：2022-03-29

申请号：US16428202

申请日：2019-05-31

Applicant: Cisco Technology, Inc.

Inventor： Grégory Mermoud ,  Jean-Philippe Vasseur ,  Pierre-Andre Savalle ,  David Tedaldi

IPC: H04L12/24 ,  H04L29/06 ,  H04L12/723 ,  H04L41/0873 ,  H04L45/50 ,  H04L41/0893 ,  H04L41/0816

Abstract: In one embodiment, a service receives a plurality of device type classification rules, each rule comprising a device type label and one or more device attributes used as criteria for application of the label to a device in a network. The service estimates, across a space of the device attributes, device densities of devices having device attributes at different points in that space. The service uses the estimated device densities to identify two or more of the device type classification rules as having overlapping device attributes. The service determines that the two or more device type classification rules are in conflict, based on the two or more rules having different device type labels. The service generates a rule conflict resolution that comprises one of the device type labels from the conflicting two or more device type classification rules.

公开(公告)号：US11196629B2

公开(公告)日：2021-12-07

申请号：US17142447

申请日：2021-01-06

Applicant: Cisco Technology, Inc.

Inventor： David Tedaldi ,  Grégory Mermoud ,  Pierre-Andre Savalle ,  Jean-Philippe Vasseur

IPC: H04L12/24 ,  H04L12/26

Abstract: In various embodiments, a device classification service obtains traffic telemetry data for a plurality of devices in a network. The service applies clustering to the traffic telemetry data, to form device clusters. The service generates a device classification rule based on a particular one of the device clusters. The service receives feedback from a user interface regarding the device classification rule. The service adjusts the device classification rule based on the received feedback.

公开(公告)号：US10574512B1

公开(公告)日：2020-02-25

申请号：US16120529

申请日：2018-09-04

Applicant: Cisco Technology, Inc.

Inventor： Grégory Mermoud ,  David Tedaldi ,  Jean-Philippe Vasseur

IPC: H04L12/24 ,  G06N3/04 ,  G06N3/08

Abstract: In one embodiment, a network assurance service that monitors a network detects a behavioral anomaly in the network using an anomaly detector that compares an anomaly detection threshold to a target value calculated based on a first set of one or more measurements from the network. The service uses an explanation model to predict when the anomaly detector will detect anomalies. The explanation model takes as input a second set of one or more measurements from the network that differs from the first set. The service determines that the detected anomaly is explainable, based on the explanation model correctly predicting the detection of the anomaly by the anomaly detector. The service provides an anomaly detection alert for the detected anomaly to a user interface, based on the detected anomaly being explainable. The anomaly detection alert indicates at least one measurement from the second set as an explanation for the anomaly.

公开(公告)号：US11971962B2

公开(公告)日：2024-04-30

申请号：US16860581

申请日：2020-04-28

Applicant: Cisco Technology, Inc.

Inventor： David Tedaldi ,  Grégory Mermoud ,  Jürg Nicolaus Diemand ,  Jean-Philippe Vasseur ,  Pierre-André Savalle

IPC: G16Y40/35 ,  G06F3/0482 ,  G06F18/22 ,  G06F18/243 ,  G06F18/25 ,  G06N5/025 ,  H04L41/12 ,  H04L41/22

CPC classification number: G06F18/251 ,  G06F3/0482 ,  G06F18/22 ,  G06F18/24323 ,  G06F18/254 ,  G06N5/025 ,  G16Y40/35 ,  H04L41/12 ,  H04L41/22

Abstract: In various embodiments, a device obtains a set of device classification rules. Each device classification rule specifies one or more attributes from a set of attributes and being configured to assign a device type to an endpoint in a network when the endpoint exhibits the one or more attributes specified by that rule. The device forms a graphical representation of the set of attributes. The device performs an analysis of the graphical representation of the set of attributes. The device provides a result of the analysis to a user interface.

公开(公告)号：US11729210B2

公开(公告)日：2023-08-15

申请号：US16851290

申请日：2020-04-17

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Pierre-André Savalle ,  Grégory Mermoud ,  David Tedaldi

IPC: H04L9/40 ,  H04L43/065 ,  H04L43/12 ,  G06N3/047

CPC classification number: H04L63/1466 ,  G06N3/047 ,  H04L43/065 ,  H04L43/12 ,  H04L63/0263 ,  H04L63/1425

Abstract: In various embodiments, a device classification service obtains device telemetry data indicative of declarative attributes of a device in a network and indicative of behavioral attributes of that device. The device classification service labels the device with a device type, based on the device telemetry data. The device classification service detects device type spoofing exhibited by the device using a model that models a relationship between the declarative attributes and the behavioral attributes. The device classification service initiates, based on the device type spoofing, a mitigation action regarding the device.

公开(公告)号：US20220166675A1

公开(公告)日：2022-05-26

申请号：US17513989

申请日：2021-10-29

Applicant: Cisco Technology, Inc.

Inventor： David Tedaldi ,  Grégory Mermoud ,  Pierre-André Savalle ,  Jean-Philippe Vasseur

IPC: H04L41/0893 ,  H04L41/00 ,  H04L43/065 ,  H04L43/04 ,  H04L43/08

Abstract: In various embodiments, a device classification service obtains traffic telemetry data for a plurality of devices in a network. The service applies clustering to the traffic telemetry data, to form device clusters. The service generates a device classification rule based on a particular one of the device clusters. The service receives feedback from a user interface regarding the device classification rule. The service adjusts the device classification rule based on the received feedback.

公开(公告)号：US20210329029A1

公开(公告)日：2021-10-21

申请号：US16851290

申请日：2020-04-17

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Pierre-André Savalle ,  Grégory Mermoud ,  David Tedaldi

IPC: H04L29/06 ,  H04L12/26 ,  G06N3/04

Abstract: In various embodiments, a device classification service obtains device telemetry data indicative of declarative attributes of a device in a network and indicative of behavioral attributes of that device. The device classification service labels the device with a device type, based on the device telemetry data. The device classification service detects device type spoofing exhibited by the device using a model that models a relationship between the declarative attributes and the behavioral attributes. The device classification service initiates, based on the device type spoofing, a mitigation action regarding the device.

公开(公告)号：US11100364B2

公开(公告)日：2021-08-24

申请号：US16194442

申请日：2018-11-19

Applicant: Cisco Technology, Inc.

Inventor： Grégory Mermoud ,  Pierre-André Savalle ,  Jean-Philippe Vasseur ,  David Tedaldi

IPC: G06K9/62 ,  G06N20/00 ,  H04L12/26

Abstract: In one embodiment, a device clusters traffic feature vectors for a plurality of endpoints in a network into a set of clusters. Each traffic feature vector comprises traffic telemetry data captured for one of the endpoints. The device selects one of the clusters for labeling, based in part on contextual data associated with the clusters that was not used to form the clusters. The device obtains a device type label for the selected cluster by providing data regarding the selected cluster and the contextual data associated with that cluster to a user interface. The device provides the device type label and the traffic feature vectors associated with the selected cluster for training a machine learning-based device type classifier.

公开(公告)号：US10917302B2

公开(公告)日：2021-02-09

申请号：US16459834

申请日：2019-07-02

Applicant: Cisco Technology, Inc.

Inventor： David Tedaldi ,  Grégory Mermoud ,  Pierre-Andre Savalle ,  Jean-Philippe Vasseur

IPC: H04L12/24 ,  H04L12/26

Abstract: In various embodiments, a device classification service obtains traffic telemetry data for a plurality of devices in a network. The service applies clustering to the traffic telemetry data, to form device clusters. The service generates a device classification rule based on a particular one of the device clusters. The service receives feedback from a user interface regarding the device classification rule. The service adjusts the device classification rule based on the received feedback.

公开(公告)号：US20200336397A1

公开(公告)日：2020-10-22

申请号：US16389013

申请日：2019-04-19

Applicant: Cisco Technology, Inc.

Inventor： David Tedaldi ,  Grégory Mermoud ,  Pierre-Andre Savalle ,  Jean-Philippe Vasseur

IPC: H04L12/26 ,  H04L12/24 ,  G06N20/00

Abstract: In one embodiment, a device classification service obtains telemetry data for a plurality of devices in a network. The device classification service repeatedly assigns the devices to device clusters by applying clustering to the obtained telemetry data. The device classification service determines a measure of stability loss associated with the cluster assignments. The measure of stability loss is based in part on whether a device is repeatedly assigned to the same device cluster. The device classification service determines, based on the measure of stability loss, that the cluster assignments have stabilized. The device classification service obtains device type labels for the device clusters, after determining that the cluster assignments have stabilized.