公开(公告)号：US20190268784A1

公开(公告)日：2019-08-29

申请号：US16406535

申请日：2019-05-08

Applicant: Cisco Technology, Inc.

Inventor： Pierre-André Savalle ,  Grégory Mermoud ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: H04W24/02 ,  H04W64/00 ,  H04W36/00

Abstract: In one embodiment, a device receives data regarding usage of access points in a network by a plurality of clients in the network. The device maintains an access point graph that represents the access points in the network as vertices of the access point graph. The device generates, for each of the plurality of clients, client trajectories as trajectory subgraphs of the access point graph. A particular client trajectory for a particular client comprises a set of edges between a subset of the vertices of the access point graph and represents transitions between access points in the network performed by the particular client. The device identifies a transition pattern from the client trajectories by deconstructing the trajectory subgraphs. The device uses the identified transition pattern to effect a configuration change in the network.

公开(公告)号：US20190238443A1

公开(公告)日：2019-08-01

申请号：US15880689

申请日：2018-01-26

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota ,  Grégory Mermoud

IPC: H04L12/26 ,  H04L12/24

Abstract: In one embodiment, a local service of a network reports configuration information regarding the network to a cloud-based network assurance service. The local service receives a classifier selected by the cloud-based network assurance service based on the configuration information regarding the network. The local service classifies, using the received classifier, telemetry data collected from the network, to select a modeling strategy for the network. The local service installs, based on the modeling strategy for the network, a machine learning-based model to the local service for monitoring the network.

公开(公告)号：US10341885B2

公开(公告)日：2019-07-02

申请号：US15617444

申请日：2017-06-08

Applicant: Cisco Technology, Inc.

Inventor： Pierre-André Savalle ,  Grégory Mermoud ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: H04W24/02 ,  H04W36/32 ,  H04W64/00 ,  H04W84/12

Abstract: In one embodiment, a device receives data regarding usage of access points in a network by a plurality of clients in the network. The device maintains an access point graph that represents the access points in the network as vertices of the access point graph. The device generates, for each of the plurality of clients, client trajectories as trajectory subgraphs of the access point graph. A particular client trajectory for a particular client comprises a set of edges between a subset of the vertices of the access point graph and represents transitions between access points in the network performed by the particular client. The device identifies a transition pattern from the client trajectories by deconstructing the trajectory subgraphs. The device uses the identified transition pattern to effect a configuration change in the network.

公开(公告)号：US20180146007A1

公开(公告)日：2018-05-24

申请号：US15863257

申请日：2018-01-05

Applicant: Cisco Technology, Inc.

Inventor： Javier Cruz Mota ,  Jean-Philippe Vasseur ,  Andrea Di Pietro

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/1416

Abstract: In one embodiment, a traffic model manager node receives data flows in a network and determines a degree to which the received data flows conform to one or more traffic models classifying particular types of data flows as non-malicious. If the degree to which the received data flows conform to the one or more traffic models is sufficient, the traffic model manager node characterizes the received data flows as non-malicious. Otherwise, the traffic model manager node provides the received data flows to a denial of service (DoS) attack detector in the network to allow the received data flows to be scanned for potential attacks.

公开(公告)号：US09705914B2

公开(公告)日：2017-07-11

申请号：US14338719

申请日：2014-07-23

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: H04L29/06 ,  G06F21/53 ,  G06F21/56 ,  G06F21/55

CPC classification number: H04L63/1458 ,  G06F21/53 ,  G06F21/55 ,  G06F21/56 ,  G06F21/566 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1441 ,  H04W12/12

Abstract: In one embodiment, a device in a network generates an expected traffic model based on a training set of data used to train a machine learning attack detector. The device provides the expected traffic model to one or more nodes in the network. The device receives an unexpected behavior notification from a particular node of the one or more nodes. The particular node generates the unexpected behavior notification based on a comparison between the expected traffic model and an observed traffic behavior by the node. The particular node also prevents the machine learning attack detector from analyzing the observed traffic behavior. The device updates the machine learning attack detector to account for the observed traffic behavior.

公开(公告)号：US09559918B2

公开(公告)日：2017-01-31

申请号：US14278532

申请日：2014-05-15

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: G06F11/00 ,  H04L12/26 ,  H04L29/06 ,  H04L29/08 ,  H04L12/24

CPC classification number: H04L43/04 ,  H04L41/30 ,  H04L63/1408 ,  H04L63/1458 ,  H04L67/04 ,  H04L67/12 ,  H04L2463/141

Abstract: In one embodiment, attack observations by a first node are provided to a user interface device regarding an attack detected by the node. Input from the user interface device is received that confirms that a particular attack observation by the first node indicates that the attack was detected correctly by the first node. Attack observations by one or more other nodes are provided to the user interface device. Input is received from the user interface device that confirms whether the attack observations by the first node and the attack observations by the one or more other nodes are both related to the attack. The one or more other nodes are identified as potential voters for the first node in a voting-based attack detection mechanism based on the attack observations from the first node and the one or more other nodes being related.

Abstract translation: 在一个实施例中，第一节点的攻击观察被提供给用户接口设备关于由该节点检测到的攻击。 接收到来自用户界面设备的输入，其确认第一节点的特定攻击观察指示第一节点正确地检测到攻击。 一个或多个其他节点的攻击观察被提供给用户界面设备。 从用户接口设备接收输入，确认第一节点的攻击观察和一个或多个其他节点的攻击观察是否与攻击有关。 基于来自第一节点和一个或多个其他相关节点的攻击观察，基于投票的攻击检测机制中的一个或多个其他节点被识别为第一节点的潜在选民。

公开(公告)号：US09286473B2

公开(公告)日：2016-03-15

申请号：US14165439

申请日：2014-01-27

Applicant: Cisco Technology, Inc.

Inventor： Javier Cruz Mota ,  Jean-Philippe Vasseur ,  Andrea Di Pietro ,  Jonathan W. Hui

IPC: G06F21/55 ,  H04W12/12

CPC classification number: G06F21/554 ,  H04W12/12

Abstract: In one embodiment, techniques are shown and described relating to quarantine-based mitigation of effects of a local DoS attack. A management device may receive data indicating that one or more nodes in a shared-media communication network are under attack by an attacking node. The management device may then communicate a quarantine request packet to the one or more nodes under attack, the quarantine request packet providing instructions to the one or more nodes under attack to alter their frequency hopping schedule without allowing the attacking node to learn of the altered frequency hopping schedule.

Abstract translation: 在一个实施例中，显示和描述与基于隔离的缓解本地DoS攻击的影响相关的技术。 管理设备可以接收指示共享媒体通信网络中的一个或多个节点受攻击节点攻击的数据。 然后，管理设备可以向被攻击的一个或多个节点传送隔离请求分组，所述隔离请求分组向被攻击的一个或多个节点提供指令以改变其跳频计划，而不允许攻击节点学习改变的频率 跳跃时间表。

公开(公告)号：US20160028762A1

公开(公告)日：2016-01-28

申请号：US14338526

申请日：2014-07-23

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/1458 ,  G06F21/55 ,  G06N99/005 ,  H04L63/02 ,  H04L63/0227 ,  H04L63/1416

Abstract: In one embodiment, data flows are received in a network, and information relating to the received data flows is provided to a machine learning attack detector. Then, in response to receiving an attack detection indication from the machine teaming attack detector, a traffic segregation procedure is performed including: computing an anomaly score for each of the received data flows based on a degree of divergence from an expected traffic model, determining a subset of the received data flows that have an anomaly score that is lower than or equal to an anomaly threshold value, and providing information relating to the subset of the received data flows to the machine learning attack detector.

Abstract translation: 在一个实施例中，在网络中接收数据流，并且将与所接收的数据流相关的信息提供给机器学习攻击检测器。 然后，响应于从机器组合攻击检测器接收到攻击检测指示，执行业务分离过程，包括：基于与预期业务模型的偏离程度来计算每个接收到的数据流的异常得分，确定 具有低于或等于异常阈值的异常分数的接收数据流的子集，以及将与所接收的数据流的子集相关的信息提供给机器学习攻击检测器。

公开(公告)号：US20160028753A1

公开(公告)日：2016-01-28

申请号：US14338852

申请日：2014-07-23

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: H04L29/06

CPC classification number: G06F21/577 ,  G06F2221/034 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1458 ,  H04L67/1002

Abstract: In one embodiment, a device receives a classifier tracking request from a coordinator device that specifies a classifier verification time period. During the classifier verification time period, the device classifies a set of network traffic that includes traffic observed by the device and attack traffic specified by the coordinator device. The device generates classification results based on the classified set of network traffic and provides the classification results to the coordinator device.

Abstract translation: 在一个实施例中，设备从指定分类器验证时间段的协调器设备接收分类器跟踪请求。 在分类器验证时间段期间，设备对包括设备观察到的流量和协调器设备指定的攻击流量的一组网络流量进行分类。 该设备基于分类的网络流量集合生成分类结果，并将分类结果提供给协调器设备。

公开(公告)号：US20160028750A1

公开(公告)日：2016-01-28

申请号：US14338719

申请日：2014-07-23

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  G06F21/53 ,  G06F21/55 ,  G06F21/56 ,  G06F21/566 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1441 ,  H04W12/12

Abstract: In one embodiment, a device in a network generates an expected traffic model based on a training set of data used to train a machine learning attack detector. The device provides the expected traffic model to one or more nodes in the network. The device receives an unexpected behavior notification from a particular node of the one or more nodes. The particular node generates the unexpected behavior notification based on a comparison between the expected traffic model and an observed traffic behavior by the node. The particular node also prevents the machine learning attack detector from analyzing the observed traffic behavior. The device updates the machine learning attack detector to account for the observed traffic behavior.

Abstract translation: 在一个实施例中，网络中的设备基于用于训练机器学习攻击检测器的训练数据集来生成期望的交通模型。 该设备将预期流量模型提供给网络中的一个或多个节点。 设备从一个或多个节点的特定节点接收意外行为通知。 特定节点基于预期流量模型与节点观察到的流量行为之间的比较来生成意外行为通知。 特定节点还防止机器学习攻击检测器分析观察到的流量行为。 该设备更新机器学习攻击检测器以考虑观察到的流量行为。