公开(公告)号：US10701092B2

公开(公告)日：2020-06-30

申请号：US15364440

申请日：2016-11-30

Applicant: Cisco Technology, Inc.

Inventor： Laurent Sartran ,  Sébastien Gay ,  Jean-Philippe Vasseur ,  Grégory Mermoud

IPC: H04L29/06

Abstract: In one embodiment, a device in a network obtains characteristic data regarding one or more traffic flows in the network. The device incrementally estimates an amount of noise associated with a machine learning feature using bootstrapping. The machine learning feature is derived from the sampled characteristic data. The device applies a filter to the estimated amount of noise associated with the machine learning feature, to determine a value for the machine learning feature. The device identifies a network anomaly that exists in the network by using the determined value for the machine learning feature as input to a machine learning-based anomaly detector. The device causes performance of an anomaly mitigation action based on the identified network anomaly.

公开(公告)号：US20190342321A1

公开(公告)日：2019-11-07

申请号：US16517748

申请日：2019-07-22

Applicant: Cisco Technology, Inc.

Inventor： Laurent Sartran ,  Sébastien Gay ,  Pierre-André Savalle ,  Grégory Mermoud ,  Jean-Philippe Vasseur

IPC: H04L29/06 ,  H04L12/26 ,  H04L12/24

Abstract: In one embodiment, a device in a network receives traffic records indicative of network traffic between different sets of host address pairs. The device identifies one or more address grouping constraints for the sets of host address pairs. The device determines address groups for the host addresses in the sets of host address pairs based on the one or more address grouping constraints. The device provides an indication of the address groups to an anomaly detector.

公开(公告)号：US10389741B2

公开(公告)日：2019-08-20

申请号：US15163347

申请日：2016-05-24

Applicant: Cisco Technology, Inc.

Inventor： Pierre-André Savalle ,  Laurent Sartran ,  Jean-Philippe Vasseur ,  Grégory Mermoud

IPC: H04L29/06 ,  H04L29/08

Abstract: In one embodiment, a device in a network identifies a new interaction between two or more nodes in the network. The device forms a feature vector using contextual information associated with the new interaction between the two or more nodes. The device causes generation of an anomaly detection model for new node interactions using the feature vector. The device uses the anomaly detection model to determine whether a particular node interaction in the network is anomalous.

公开(公告)号：US10320824B2

公开(公告)日：2019-06-11

申请号：US14989920

申请日：2016-01-07

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Grégory Mermoud ,  Laurent Sartran

IPC: H04L9/00 ,  H04L29/06 ,  H04L12/707 ,  G06N20/00 ,  H04L12/725 ,  G06F21/55 ,  H04L12/751

Abstract: In one embodiment, a device in a network receives traffic metrics for a plurality of applications in the network. The device populates a feature space for a machine learning-based anomaly detector. The device identifies a missing dataset in the feature space for a particular one of the plurality of applications. The device adjusts how traffic is sent in the network, to capture the missing dataset.

公开(公告)号：US20190081973A1

公开(公告)日：2019-03-14

申请号：US16190756

申请日：2018-11-14

Applicant: Cisco Technology, Inc.

Inventor： Pierre-André Savalle ,  Grégory Mermoud ,  Laurent Sartran ,  Jean-Philippe Vasseur

IPC: H04L29/06 ,  H04L12/24

CPC classification number: H04L63/1425 ,  H04L41/142 ,  H04L63/0236 ,  H04L63/1416 ,  H04L63/1458

Abstract: In one embodiment, a device in a network maintains a plurality of anomaly detection models for different sets of aggregated traffic data regarding traffic in the network. The device determines a measure of confidence in a particular one of the anomaly detection models that evaluates a particular set of aggregated traffic data. The device dynamically replaces the particular anomaly detection model with a second anomaly detection model configured to evaluate the particular set of aggregated traffic data and has a different model capacity than that of the particular anomaly detection model. The device provides an anomaly event notification to a supervisory controller based on a combined output of the second anomaly detection model and of one or more of the anomaly detection models in the plurality of anomaly detection models.

公开(公告)号：US10218729B2

公开(公告)日：2019-02-26

申请号：US15205122

申请日：2016-07-08

Applicant: Cisco Technology, Inc.

Inventor： Sébastien Gay ,  Laurent Sartran ,  Jean-Philippe Vasseur

IPC: H04L29/06 ,  G06N99/00

Abstract: In one embodiment, a device in a network receives sets of traffic flow features from an unsupervised machine learning-based anomaly detector. The sets of traffic flow features are associated with anomaly scores determined by the anomaly detector. The device ranks the sets of traffic flow features based in part on their anomaly scores. The device applies a genetic programming approach to the ranked sets of traffic flow features to generate new sets of traffic flow features. The genetic programming approach uses a fitness function that is based in part on the rankings of the sets of traffic flow features. The device specializes the anomaly detector to emphasize a particular type of anomaly using the new sets of traffic flow features.

公开(公告)号：US20170279698A1

公开(公告)日：2017-09-28

申请号：US15188175

申请日：2016-06-21

Applicant: Cisco Technology, Inc.

Inventor： Laurent Sartran ,  Pierre-André Savalle ,  Jean-Philippe Vasseur ,  Grégory Mermoud ,  Javier Cruz Mota ,  Sébastien Gay

IPC: H04L12/26

CPC classification number: H04L43/0876 ,  H04L41/142 ,  H04L41/147 ,  H04L41/16 ,  H04L43/028 ,  H04L43/0823 ,  H04L43/16

Abstract: In one embodiment, a device in a network determines cluster assignments that assign traffic data regarding traffic in the network to activity level clusters based on one or more measures of traffic activity in the traffic data. The device uses the cluster assignments to predict seasonal activity for a particular subset of the traffic in the network. The device determines an activity level for new traffic data regarding the particular subset of traffic in the network. The device detects a network anomaly by comparing the activity level for the new traffic data to the predicted seasonal activity.

公开(公告)号：US20220353285A1

公开(公告)日：2022-11-03

申请号：US17677541

申请日：2022-02-22

Applicant: Cisco Technology, Inc.

Inventor： Pierre-André Savalle ,  Grégory Mermoud ,  Laurent Sartran ,  Jean-Philippe Vasseur

IPC: H04L9/40 ,  H04L41/142

Abstract: In one embodiment, a device obtains characteristics of a first anomaly detection model executed by a first distributed learning agent in a network. The device receives a query from a second distributed learning agent in the network that requests identification of a similar anomaly detection to that of a second anomaly detection model executed by the second distributed learning agent. The device identifies, after receiving the query from the second distributed learning agent, the first anomaly detection model as being similar to that of the second anomaly detection model, based on the characteristics of the first anomaly detection model. The device causes the first anomaly detection model to be sent to the second distributed learning agent for execution.

公开(公告)号：US11140187B2

公开(公告)日：2021-10-05

申请号：US16517748

申请日：2019-07-22

Applicant: Cisco Technology, Inc.

Inventor： Laurent Sartran ,  Sébastien Gay ,  Pierre-André Savalle ,  Grégory Mermoud ,  Jean-Philippe Vasseur

IPC: H04L29/06 ,  H04L12/24 ,  H04L12/26

Abstract: In one embodiment, a device in a network receives traffic records indicative of network traffic between different sets of host address pairs. The device identifies one or more address grouping constraints for the sets of host address pairs. The device determines address groups for the host addresses in the sets of host address pairs based on the one or more address grouping constraints. The device provides an indication of the address groups to an anomaly detector.

公开(公告)号：US20200304530A1

公开(公告)日：2020-09-24

申请号：US16894332

申请日：2020-06-05

Applicant: Cisco Technology, Inc.

Inventor： Pierre-André Savalle ,  Grégory Mermoud ,  Laurent Sartran ,  Jean-Philippe Vasseur

IPC: H04L29/06 ,  H04L12/24

Abstract: In one embodiment, a device obtains characteristics of a first anomaly detection model executed by a first distributed learning agent in a network. The device receives a query from a second distributed learning agent in the network that requests identification of a similar anomaly detection to that of a second anomaly detection model executed by the second distributed learning agent. The device identifies, after receiving the query from the second distributed learning agent, the first anomaly detection model as being similar to that of the second anomaly detection model, based on the characteristics of the first anomaly detection model. The device causes the first anomaly detection model to be sent to the second distributed learning agent for execution.