公开(公告)号：US20170103213A1

公开(公告)日：2017-04-13

申请号：US15386873

申请日：2016-12-21

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: G06F21/57 ,  H04L29/06

CPC classification number: G06F21/577 ,  G06F2221/034 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1458 ,  H04L67/1002

Abstract: In one embodiment, a device receives a classifier tracking request from a coordinator device that specifies a classifier verification time period. During the classifier verification time period, the device classifies a set of network traffic that includes traffic observed by the device and attack traffic specified by the coordinator device. The device generates classification results based on the classified set of network traffic and provides the classification results to the coordinator device.

公开(公告)号：US09521158B2

公开(公告)日：2016-12-13

申请号：US14164480

申请日：2014-01-27

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: H04L29/06 ,  G06N99/00 ,  H04L12/26 ,  G06N3/02 ,  H04L12/24 ,  H04L12/801 ,  H04L12/855 ,  H04L12/891 ,  G06N3/08 ,  H04L12/753

CPC classification number: H04L63/1425 ,  G06N3/02 ,  G06N3/08 ,  G06N3/084 ,  G06N99/005 ,  H04L41/16 ,  H04L43/0876 ,  H04L45/48 ,  H04L47/127 ,  H04L47/2466 ,  H04L47/41

Abstract: In one embodiment, a device determines that input data to a machine learning model sent from a plurality of source nodes to an aggregation node is causing network congestion. A set of one or more other nodes to perform aggregation of the machine learning model input data is selected. A type of aggregation to be performed by the set of one or more other nodes is also selected. The set of one or more other nodes is also instructed to perform the selected type of aggregation on the data sent from the source nodes.

Abstract translation: 在一个实施例中，设备确定到从多个源节点发送到聚合节点的机器学习模型的输入数据导致网络拥塞。 选择用于执行机器学习模型输入数据的聚合的一组或多个其他节点。 还选择要由一组或多个其他节点执行的聚合类型。 还指示一个或多个其他节点的集合对从源节点发送的数据执行所选择的聚合类型。

公开(公告)号：US09450978B2

公开(公告)日：2016-09-20

申请号：US14164460

申请日：2014-01-27

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Javier Cruz Mota ,  Andrea Di Pietro

IPC: G06N3/02 ,  H04L29/06 ,  G06N99/00 ,  H04L12/26 ,  H04L12/24 ,  H04L12/801 ,  H04L12/855 ,  H04L12/891 ,  G06N3/08 ,  H04L12/753

CPC classification number: H04L63/1425 ,  G06N3/02 ,  G06N3/08 ,  G06N3/084 ,  G06N99/005 ,  H04L41/16 ,  H04L43/0876 ,  H04L45/48 ,  H04L47/127 ,  H04L47/2466 ,  H04L47/41

Abstract: In one embodiment, network data is received at a first node in a computer network. A low precision machine learning model is used on the network data to detect a network event. A notification is then sent to a second node in the computer network that the network event was detected, to cause the second node to use a high precision machine learning model to validate the detected network event.

Abstract translation: 在一个实施例中，在计算机网络中的第一节点处接收网络数据。 网络数据采用低精度机器学习模型来检测网络事件。 然后将通知发送到计算机网络中检测到网络事件的第二节点，以使第二节点使用高精度机器学习模型来验证检测到的网络事件。

公开(公告)号：US09450972B2

公开(公告)日：2016-09-20

申请号：US14338751

申请日：2014-07-23

Applicant: Cisco Technology, Inc.

Inventor： Javier Cruz Mota ,  Andrea Di Pietro ,  Jean-Philippe Vasseur

IPC: H04L29/06

CPC classification number: H04L63/1408 ,  H04L63/1458 ,  H04L63/1466 ,  H04W4/70 ,  H04W12/12

Abstract: In one embodiment, a device in a network receives a set of output label dependencies for a set of attack detectors. The device identifies applied labels that were applied by the attack detectors to input data regarding a network, the applied labels being associated with probabilities. The device determines a combined probability for two or more of the applied labels based on the output label dependencies and the probabilities associated with the two or more labels. The device selects one of the applied labels as a finalized label for the input data based on the probabilities associated with the applied labels and on the combined probability for the two or more labels.

Abstract translation: 在一个实施例中，网络中的设备接收一组攻击检测器的一组输出标签依赖性。 设备识别由攻击检测器应用的应用标签以输入关于网络的数据，所应用的标签与概率相关联。 该设备基于输出标签依赖性和与两个或多个标签相关联的概率来确定两个或多个应用标签的组合概率。 设备根据与应用标签相关联的概率和两个或多个标签的组合概率，将所应用的标签之一选择为输入数据的最终标签。

公开(公告)号：US09413779B2

公开(公告)日：2016-08-09

申请号：US14164443

申请日：2014-01-27

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Andrea Di Pietro ,  Javier Cruz Mota

IPC: G06N3/08 ,  H04L29/06 ,  G06N99/00 ,  H04L12/26 ,  G06N3/02 ,  H04L12/24 ,  H04L12/801 ,  H04L12/855 ,  H04L12/891 ,  H04L12/753

CPC classification number: H04L63/1425 ,  G06N3/02 ,  G06N3/08 ,  G06N3/084 ,  G06N99/005 ,  H04L41/16 ,  H04L43/0876 ,  H04L45/48 ,  H04L47/127 ,  H04L47/2466 ,  H04L47/41

Abstract: In one embodiment, local model parameters are generated by training a machine learning model at a device in a computer network using a local data set. One or more other devices in the network are identified that have trained machine learning models using remote data sets that are similar to the local data set. The local model parameters are provided to the one or more other devices to cause the one or more other devices to generate performance metrics using the provided model parameters. Performance metrics for model parameters are received from the one or more other devices and a global set of model parameters is selected for the device and the one or more other devices using the received performance metrics.

Abstract translation: 在一个实施例中，通过使用本地数据集在计算机网络中的设备处训练机器学习模型来生成本地模型参数。 识别网络中的一个或多个其他设备，其使用与本地数据集相似的远程数据集来训练机器学习模型。 将本地模型参数提供给一个或多个其他设备以使得一个或多个其他设备使用所提供的模型参数来生成性能度量。 从一个或多个其他设备接收模型参数的性能度量，并且使用所接收的性能度量为设备和一个或多个其他设备选择一组全局模型参数。

公开(公告)号：US20160028755A1

公开(公告)日：2016-01-28

申请号：US14339255

申请日：2014-07-23

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Andrea Di Pietro ,  Javier Cruz Mota

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  G06N3/02 ,  G06N99/005 ,  H04L63/1408 ,  H04L63/1458 ,  H04L2463/146

Abstract: In one embodiment, a particular node in a network determines information relating to network attack detection and mitigation from a local machine learning attack detection and mitigation system. The particular node sends a message to an address in the network indicating capabilities of the local machine learning attack detection and mitigation system based on the information. In response to the sent message, the particular node receives an indication that it is a member of a collaborative group of nodes based on the capabilities of the local machine learning attack detection and mitigation system being complementary to capabilities of other machine learning attack detection and mitigation systems. Then, in response to an attack being detected by the local machine learning attack detection and mitigation system, the particular node provides to the collaborative group of nodes an indication of attack data flows identified as corresponding to the attack.

Abstract translation: 在一个实施例中，网络中的特定节点从本地机器学习攻击检测和缓解系统确定与网络攻击检测和缓解有关的信息。 特定节点基于该信息向网络中的地址发送指示本地机器学习攻击检测和缓解系统的能力的消息。 响应于所发送的消息，特定节点基于本地机器学习攻击检测和缓解系统的能力与其他机器学习攻击检测和缓解的能力互补而接收到它是协作组节点的成员的指示 系统。 然后，响应于由本地机器学习攻击检测和缓解系统检测到的攻击，特定节点向协作组节点提供被标识为对应于攻击的攻击数据流的指示。

公开(公告)号：US20160028754A1

公开(公告)日：2016-01-28

申请号：US14338909

申请日：2014-07-23

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Javier Cruz Mota ,  Andrea Di Pietro ,  Jean-Philippe Vasseur

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  H04L63/1425 ,  H04L63/1458

Abstract: In one embodiment, a device in a network detects a network attack using aggregated metrics for a set of traffic data. In response to detecting the network attack, the device causes the traffic data to be clustered into a set of traffic data clusters. The device causes one or more attack detectors to analyze the traffic data clusters. The device causes the traffic data clusters to be segregated into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic based on an analysis of the clusters by the one or more attack detectors.

Abstract translation: 在一个实施例中，网络中的设备使用用于一组业务数据的聚合度量来检测网络攻击。 响应于检测到网络攻击，该设备使业务数据被聚集成一组业务数据集群。 该设备使一个或多个攻击检测器分析流量数据集群。 基于对一个或多个攻击检测器的分析，该设备使得交通数据集群被分离成一组一个或多个与攻击有关的集群，并且分组成与一般业务相关的一个或多个集群的集合。

公开(公告)号：US20160028752A1

公开(公告)日：2016-01-28

申请号：US14338794

申请日：2014-07-23

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  H04L63/1408 ,  H04L63/1441 ,  H04L63/1458

Abstract: In one embodiment, a device in a network identifies a set of traffic flow records that triggered an attack detector. The device selects a subset of the traffic flow records and calculates aggregated metrics for the subset. The device provides the aggregated metrics for the subset to the attack detector to generate an attack detection determination for the subset of traffic flow records. The device identifies one or more attack traffic flows from the set of traffic flow records based on the attack detection determination for the subset of traffic flow records.

Abstract translation: 在一个实施例中，网络中的设备识别触发攻击检测器的一组业务流记录。 设备选择流量记录的一个子集，并计算子集的聚合度量。 该设备将该子集的聚合度量提供给攻击检测器，以生成流量记录子集的攻击检测确定。 该设备基于业务流记录子集的攻击检测确定来识别来自该组业务流记录的一个或多个攻击流量流。

公开(公告)号：US09231965B1

公开(公告)日：2016-01-05

申请号：US14339255

申请日：2014-07-23

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Andrea di Pietro ,  Javier Cruz Mota

IPC: G06F11/00 ,  H04L29/06 ,  G06F12/14 ,  G06F7/04

CPC classification number: H04L63/1416 ,  G06N3/02 ,  G06N99/005 ,  H04L63/1408 ,  H04L63/1458 ,  H04L2463/146

Abstract: In one embodiment, a particular node in a network determines information relating to network attack detection and mitigation from a local machine learning attack detection and mitigation system. The particular node sends a message to an address in the network indicating capabilities of the local machine learning attack detection and mitigation system based on the information. In response to the sent message, the particular node receives an indication that it is a member of a collaborative group of nodes based on the capabilities of the local machine learning attack detection and mitigation system being complementary to capabilities of other machine learning attack detection and mitigation systems. Then, in response to an attack being detected by the local machine learning attack detection and mitigation system, the particular node provides to the collaborative group of nodes an indication of attack data flows identified as corresponding to the attack.

Abstract translation: 在一个实施例中，网络中的特定节点从本地机器学习攻击检测和缓解系统确定与网络攻击检测和缓解有关的信息。 特定节点基于该信息向网络中的地址发送指示本地机器学习攻击检测和缓解系统的能力的消息。 响应于所发送的消息，特定节点基于本地机器学习攻击检测和缓解系统的能力与其他机器学习攻击检测和缓解的能力互补而接收到它是协作组节点的成员的指示 系统。 然后，响应于由本地机器学习攻击检测和缓解系统检测到的攻击，特定节点向协作组节点提供被标识为对应于攻击的攻击数据流的指示。

公开(公告)号：US20150195146A1

公开(公告)日：2015-07-09

申请号：US14164480

申请日：2014-01-27

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: H04L12/24 ,  H04L12/891 ,  H04L12/855 ,  H04L12/801

CPC classification number: H04L63/1425 ,  G06N3/02 ,  G06N3/08 ,  G06N3/084 ,  G06N99/005 ,  H04L41/16 ,  H04L43/0876 ,  H04L45/48 ,  H04L47/127 ,  H04L47/2466 ,  H04L47/41

Abstract: In one embodiment, a device determines that input data to a machine learning model sent from a plurality of source nodes to an aggregation node is causing network congestion. A set of one or more other nodes to perform aggregation of the machine learning model input data is selected. A type of aggregation to be performed by the set of one or more other nodes is also selected. The set of one or more other nodes is also instructed to perform the selected type of aggregation on the data sent from the source nodes.

Abstract translation: 在一个实施例中，设备确定到从多个源节点发送到聚合节点的机器学习模型的输入数据导致网络拥塞。 选择用于执行机器学习模型输入数据的聚合的一组或多个其他节点。 还选择要由一组或多个其他节点执行的聚合类型。 还指示一个或多个其他节点的集合对从源节点发送的数据执行所选择的聚合类型。