公开(公告)号：US10404727B2

公开(公告)日：2019-09-03

申请号：US15176678

申请日：2016-06-08

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Sébastien Gay ,  Grégory Mermoud ,  Pierre-André Savalle ,  Alexandre Honoré ,  Fabien Flacher

IPC: H04L29/06 ,  H04L12/24

Abstract: In one embodiment, a networking device at an edge of a network generates a first set of feature vectors using information regarding one or more characteristics of host devices in the network. The networking device forms the host devices into device clusters dynamically based on the first set of feature vectors. The networking device generates a second set of feature vectors using information regarding traffic associated with the device clusters. The networking device models interactions between the device clusters using a plurality of anomaly detection models that are based on the second set of feature vectors.

公开(公告)号：US20170279833A1

公开(公告)日：2017-09-28

申请号：US15205732

申请日：2016-07-08

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Grégory Mermoud ,  Pierre-André Savalle ,  Alexandre Honoré

IPC: H04L29/06 ,  H04L12/751

CPC classification number: H04L63/1425 ,  H04L45/08 ,  H04L63/1433 ,  H04L63/1458 ,  H04L2463/144

Abstract: In one embodiment, a device in a network receives an indication that a network anomaly detected by an anomaly detector of a first node in the network is associated with scanning activity in the network. The device receives labeled traffic data associated with the detected anomaly that identifies whether the traffic data is associated with legitimate or illegitimate scanning activity. The device trains a machine learning-based classifier using the labeled traffic data to distinguish between legitimate and illegitimate scanning activity in the network. The device deploys the trained classifier to the first node, to distinguish between legitimate and illegitimate scanning activity in the network.

公开(公告)号：US20170279696A1

公开(公告)日：2017-09-28

申请号：US15188140

申请日：2016-06-21

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Pierre-André Savalle ,  Alexandre Honoré

IPC: H04L12/26 ,  G06N99/00

CPC classification number: G06N99/005 ,  H04L41/142 ,  H04L43/062 ,  H04L43/14 ,  H04L43/50

Abstract: In one embodiment, a device in a network identifies a plurality of applications from observed traffic in the network. The device forms two or more application clusters from the plurality of applications. Each of the application clusters includes one or more of the applications, and wherein a particular application in the plurality of applications is included in each of the application clusters. The device generates anomaly detection models for each of the application clusters. The device tests the anomaly detection models, to determine a measure of efficacy for each of the models with respect to traffic associated with the particular application. The device selects a particular anomaly detection model to analyze the traffic associated with the particular application based on the measures of efficacy for each of the models.