公开(公告)号：US20160028762A1

公开(公告)日：2016-01-28

申请号：US14338526

申请日：2014-07-23

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/1458 ,  G06F21/55 ,  G06N99/005 ,  H04L63/02 ,  H04L63/0227 ,  H04L63/1416

Abstract: In one embodiment, data flows are received in a network, and information relating to the received data flows is provided to a machine learning attack detector. Then, in response to receiving an attack detection indication from the machine teaming attack detector, a traffic segregation procedure is performed including: computing an anomaly score for each of the received data flows based on a degree of divergence from an expected traffic model, determining a subset of the received data flows that have an anomaly score that is lower than or equal to an anomaly threshold value, and providing information relating to the subset of the received data flows to the machine learning attack detector.

Abstract translation: 在一个实施例中，在网络中接收数据流，并且将与所接收的数据流相关的信息提供给机器学习攻击检测器。 然后，响应于从机器组合攻击检测器接收到攻击检测指示，执行业务分离过程，包括：基于与预期业务模型的偏离程度来计算每个接收到的数据流的异常得分，确定 具有低于或等于异常阈值的异常分数的接收数据流的子集，以及将与所接收的数据流的子集相关的信息提供给机器学习攻击检测器。

公开(公告)号：US20160028753A1

公开(公告)日：2016-01-28

申请号：US14338852

申请日：2014-07-23

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: H04L29/06

CPC classification number: G06F21/577 ,  G06F2221/034 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1458 ,  H04L67/1002

Abstract: In one embodiment, a device receives a classifier tracking request from a coordinator device that specifies a classifier verification time period. During the classifier verification time period, the device classifies a set of network traffic that includes traffic observed by the device and attack traffic specified by the coordinator device. The device generates classification results based on the classified set of network traffic and provides the classification results to the coordinator device.

Abstract translation: 在一个实施例中，设备从指定分类器验证时间段的协调器设备接收分类器跟踪请求。 在分类器验证时间段期间，设备对包括设备观察到的流量和协调器设备指定的攻击流量的一组网络流量进行分类。 该设备基于分类的网络流量集合生成分类结果，并将分类结果提供给协调器设备。

公开(公告)号：US20160028750A1

公开(公告)日：2016-01-28

申请号：US14338719

申请日：2014-07-23

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  G06F21/53 ,  G06F21/55 ,  G06F21/56 ,  G06F21/566 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1441 ,  H04W12/12

Abstract: In one embodiment, a device in a network generates an expected traffic model based on a training set of data used to train a machine learning attack detector. The device provides the expected traffic model to one or more nodes in the network. The device receives an unexpected behavior notification from a particular node of the one or more nodes. The particular node generates the unexpected behavior notification based on a comparison between the expected traffic model and an observed traffic behavior by the node. The particular node also prevents the machine learning attack detector from analyzing the observed traffic behavior. The device updates the machine learning attack detector to account for the observed traffic behavior.

Abstract translation: 在一个实施例中，网络中的设备基于用于训练机器学习攻击检测器的训练数据集来生成期望的交通模型。 该设备将预期流量模型提供给网络中的一个或多个节点。 设备从一个或多个节点的特定节点接收意外行为通知。 特定节点基于预期流量模型与节点观察到的流量行为之间的比较来生成意外行为通知。 特定节点还防止机器学习攻击检测器分析观察到的流量行为。 该设备更新机器学习攻击检测器以考虑观察到的流量行为。

公开(公告)号：US09230104B2

公开(公告)日：2016-01-05

申请号：US14273676

申请日：2014-05-09

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Andrea Di Pietro ,  Javier Cruz Mota

IPC: H04L29/06 ,  G06F21/55

CPC classification number: G06F21/554 ,  H04L63/1408 ,  H04W12/12 ,  H04W84/18

Abstract: In one embodiment, a network node receives a voting request from a neighboring node that indicates a potential network attack. The network node determines a set of feature values to be used as input to a classifier based on the voting request. The network node also determines whether the potential network attack is present by using the set of feature values as input to the classifier. The network node further sends a vote to the neighboring node that indicates whether the potential network attack was determined to be present.

Abstract translation: 在一个实施例中，网络节点从指示潜在网络攻击的相邻节点接收投票请求。 网络节点基于投票请求确定要用作分类器的输入的一组特征值。 网络节点还通过使用一组特征值作为分类器的输入来确定潜在的网络攻击是否存在。 网络节点还向相邻节点发送表示是否确定潜在网络攻击存在的投票。

公开(公告)号：US20150334123A1

公开(公告)日：2015-11-19

申请号：US14278532

申请日：2014-05-15

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L43/04 ,  H04L41/30 ,  H04L63/1408 ,  H04L63/1458 ,  H04L67/04 ,  H04L67/12 ,  H04L2463/141

Abstract: In one embodiment, attack observations by a first node are provided to a user interface device regarding an attack detected by the node. Input from the user interface device is received that confirms that a particular attack observation by the first node indicates that the attack was detected correctly by the first node. Attack observations by one or more other nodes are provided to the user interface device. Input is received from the user interface device that confirms whether the attack observations by the first node and the attack observations by the one or more other nodes are both related to the attack. The one or more other nodes are identified as potential voters for the first node in a voting-based attack detection mechanism based on the attack observations from the first node and the one or more other nodes being related.

Abstract translation: 在一个实施例中，第一节点的攻击观察被提供给用户接口设备关于由该节点检测到的攻击。 接收到来自用户界面设备的输入，其确认第一节点的特定攻击观察指示第一节点正确地检测到攻击。 一个或多个其他节点的攻击观察被提供给用户界面设备。 从用户接口设备接收输入，确认第一节点的攻击观察和一个或多个其他节点的攻击观察是否与攻击有关。 基于来自第一节点和一个或多个其他相关节点的攻击观察，基于投票的攻击检测机制中的一个或多个其他节点被识别为第一节点的潜在选民。

公开(公告)号：US20150326450A1

公开(公告)日：2015-11-12

申请号：US14275344

申请日：2014-05-12

Applicant: Cisco Technology, Inc.

Inventor： Javier Cruz Mota ,  Jean-Philippe Vasseur ,  Andrea Di Pietro

IPC: H04L12/24 ,  G06N99/00 ,  H04L29/06 ,  H04L29/08

CPC classification number: H04L41/5054 ,  G06N20/00 ,  H04L63/1408 ,  H04L63/1466 ,  H04L67/10 ,  H04L67/16

Abstract: In one embodiment, voting optimization requests that identify a validation data set are sent to a plurality of network nodes. Voting optimization data is received from the plurality of network nodes that was generated by executing classifiers using the validation data set. A set of one or more voting classifiers is then selected from among the classifiers based on the voting optimization data. One or more network nodes that host a voting classifier in the set of one or more selected voting classifiers is then notified of the selection.

Abstract translation: 在一个实施例中，将识别验证数据集的投票优化请求发送到多个网络节点。 从通过使用验证数据集执行分类器生成的多个网络节点接收投票优化数据。 然后基于投票优化数据从分类器中选择一组一个或多个投票分类器。 然后通知一个或多个所选投票分类器的集合中的投票分类器的一个或多个网络节点。

公开(公告)号：US20150193697A1

公开(公告)日：2015-07-09

申请号：US14164482

申请日：2014-01-27

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Javier Cruz Mota ,  Andrea Di Pietro

IPC: G06N99/00 ,  H04L12/26

CPC classification number: H04L63/1425 ,  G06N3/02 ,  G06N3/08 ,  G06N3/084 ,  G06N99/005 ,  H04L41/16 ,  H04L43/0876 ,  H04L45/48 ,  H04L47/127 ,  H04L47/2466 ,  H04L47/41

Abstract: In one embodiment, a first network device receives a notification that the first network device has been selected to validate a machine learning model for a second network device. The first network device receives model parameters for the machine learning model that were generated by the second network device using training data on the second network device. The model parameters are used with local data on the first network device to determine performance metrics for the model parameters. The performance metrics are then provided to the second network device.

Abstract translation: 在一个实施例中，第一网络设备接收第一网络设备已经被选择以验证第二网络设备的机器学习模型的通知。 第一网络设备接收由第二网络设备使用第二网络设备上的训练数据生成的机器学习模型的模型参数。 模型参数与第一个网络设备上的本地数据一起使用，以确定模型参数的性能指标。 然后将性能度量提供给第二网络设备。

公开(公告)号：US20210281492A1

公开(公告)日：2021-09-09

申请号：US16812517

申请日：2020-03-09

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Javier Cruz Mota ,  Sukrit Dasgupta ,  Jean-Philippe Vasseur

IPC: H04L12/24 ,  G06N20/00

Abstract: In one embodiment, a network assurance service that monitors a network detects a network issue in the network using a machine learning model and based on telemetry data captured in the network. The service assigns the detected network issue to an issue cluster by applying clustering to the detected network issue and to a plurality of previously detected network issues. The service selects a set of one or more actions for the detected network issue from among a plurality of actions associated with the previously detected network issues in the issue cluster. The service obtains context data for the detected network issue. The service provides, to a user interface, an indication of the detected network issue, the obtained context data for the detected network issue, and the selected set of one or more actions.

公开(公告)号：US20210279632A1

公开(公告)日：2021-09-09

申请号：US16809060

申请日：2020-03-04

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Javier Cruz Mota ,  Sukrit Dasgupta ,  Jean-Philippe Vasseur

IPC: G06N20/00 ,  G06N5/04 ,  H04L12/24

Abstract: In one embodiment, a service receives telemetry data collected from a plurality of different networks. The service combines the telemetry data into a synthetic input trace. The service inputs the synthetic input trace into a plurality of machine learning models to generate a plurality of predicted key performance indicators (KPIs), each of the models having been trained to assess telemetry data from an associated network in the plurality of different networks and predict a KPI for that network. The service compares the plurality of predicted KPIs to identify one of the plurality of different networks as exhibiting an abnormal behavior.

公开(公告)号：US20210092026A1

公开(公告)日：2021-03-25

申请号：US16578565

申请日：2019-09-23

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro

IPC: H04L12/24 ,  G06N20/00 ,  H04L29/12

Abstract: In one embodiment, a network assurance service maintains a data lake of network telemetry data obtained by the service from any number of computer networks. The service generates a machine learning model for on-premise execution in a particular computer network to detect network issues in the particular network. To do so, the service repeatedly selects a candidate set of model settings based in part on the data lake of network telemetry data, trains a machine learning model using network telemetry data from the data lake that matches the candidate set of model settings, and tests performance of the trained model using an emulator that emulates network issues in the particular network. The service further deploys the generated machine learning model to the particular computer network for on-premise execution.