公开(公告)号：US12155526B1

公开(公告)日：2024-11-26

申请号：US18196705

申请日：2023-05-12

Applicant: Cisco Technology, Inc.

Inventor： Sofia Karygianni ,  Andrea Di Pietro ,  Sukrit Dasgupta

IPC: G06F15/173 ,  H04L41/0681 ,  H04L41/22

Abstract: In one embodiment, a device determines a criticality of each of a plurality of endpoints in a network, based on network telemetry data regarding the network. The device translates a plurality of anomaly detection models available for deployment to the network and their metadata into a set of adjustable resources. The device generates an anomaly detection deployment strategy for the network by selecting a set of one or more of the plurality of anomaly detection models for deployment to one or more execution points in the network, based on the criticality of each of the plurality of endpoints and on the set of adjustable resources. The device causes the set to be deployed to the one or more execution points in the network, in accordance with the anomaly detection deployment strategy.

公开(公告)号：US11070441B2

公开(公告)日：2021-07-20

申请号：US16578565

申请日：2019-09-23

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro

IPC: H04L12/24 ,  H04L29/12 ,  G06N20/00

Abstract: In one embodiment, a network assurance service maintains a data lake of network telemetry data obtained by the service from any number of computer networks. The service generates a machine learning model for on-premise execution in a particular computer network to detect network issues in the particular network. To do so, the service repeatedly selects a candidate set of model settings based in part on the data lake of network telemetry data, trains a machine learning model using network telemetry data from the data lake that matches the candidate set of model settings, and tests performance of the trained model using an emulator that emulates network issues in the particular network. The service further deploys the generated machine learning model to the particular computer network for on-premise execution.

公开(公告)号：US10778566B2

公开(公告)日：2020-09-15

申请号：US15988084

申请日：2018-05-24

Applicant: Cisco Technology, Inc.

Inventor： Grégory Mermoud ,  Jean-Philippe Vasseur ,  Andrea Di Pietro

IPC: H04L12/24 ,  H04L12/46 ,  H04L12/751 ,  H04L12/26 ,  H04L29/12

Abstract: In one embodiment, a network assurance service that monitors a plurality of networks subdivides telemetry data regarding devices located in the networks into subsets, wherein each subset is associated with a device type, time period, metric type, and network. The service summarizes each subset by computing distribution percentiles of metric values in the subset. The service identifies an outlier subset by comparing distribution percentiles that summarize the subsets. The service reports insight data regarding the outlier subset to a user interface. The service adjusts the subsets based in part on feedback regarding the insight data from the user interface.

公开(公告)号：US10454785B2

公开(公告)日：2019-10-22

申请号：US14273108

申请日：2014-05-08

Applicant: Cisco Technology, Inc.

Inventor： Javier Cruz Mota ,  Jean-Philippe Vasseur ,  Andrea Di Pietro

IPC: H04L12/24 ,  G06Q10/10 ,  G07C13/00 ,  H04L12/16 ,  H04L12/26 ,  H04L29/06 ,  H04L12/18 ,  H04K3/00 ,  H04W12/12 ,  H04L29/08

Abstract: In one embodiment, possible voting nodes in a network are identified. The possible voting nodes each execute a classifier that is configured to select a label from among a plurality of labels based on a set of input features. A set of one or more eligible voting nodes is selected from among the possible voting nodes based on a network policy. Voting requests are then provided to the one or more eligible voting nodes that cause the one or more eligible voting nodes to select labels from among the plurality of labels. Votes are received from the eligible voting nodes that include the selected labels and are used to determine a voting result.

公开(公告)号：US10218726B2

公开(公告)日：2019-02-26

申请号：US15180540

申请日：2016-06-13

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Grégory Mermoud ,  Pierre-André Savalle ,  Andrea Di Pietro ,  Sukrit Dasgupta

IPC: H04L29/06 ,  H04L12/24 ,  H04L29/08 ,  G06N99/00

Abstract: In one embodiment, a networking device in a network causes formation of device clusters of devices in the network. The devices in a particular cluster exhibit similar characteristics. The networking device receives feedback from a device identity service regarding the device clusters. The feedback is based in part on the device identity service probing the devices. The networking device adjusts the device clusters based on the feedback from the device identity service. The networking device performs anomaly detection in the network using the adjusted device clusters.

公开(公告)号：US10187413B2

公开(公告)日：2019-01-22

申请号：US15212597

申请日：2016-07-18

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Andrea Di Pietro ,  Grégory Mermoud ,  Fabien Flacher

IPC: H04L29/06 ,  G06F17/18 ,  G06N99/00 ,  H04L29/08

Abstract: In one embodiment, a supervisory device in a network receives traffic data from a security device that uses traffic signatures to assess traffic in the network. The supervisory device receives traffic data from one or more distributed learning agents that use machine learning-based anomaly detection to assess traffic in the network. The supervisory device trains a traffic classifier using the received traffic data from the security device and from the one or more distributed learning agents. The supervisory device deploys the traffic classifier to a selected one of the one or more distributed learning agents.

公开(公告)号：US09923910B2

公开(公告)日：2018-03-20

申请号：US14874591

申请日：2015-10-05

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L63/1416

Abstract: In one embodiment, a device in a network analyzes data regarding a detected anomaly in the network. The device determines whether the detected anomaly is a false positive. The device generates a white label for the detected anomaly based on a determination that the detected anomaly is a false positive. The device causes one or more alerts regarding the detected anomaly to be suppressed using the generated white label for the anomaly.

公开(公告)号：US09900342B2

公开(公告)日：2018-02-20

申请号：US14338582

申请日：2014-07-23

Applicant: Cisco Technology, Inc.

Inventor： Javier Cruz Mota ,  Jean-Philippe Vasseur ,  Andrea Di Pietro

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/1416

Abstract: In one embodiment, a traffic model manager node receives data flows in a network and determines a degree to which the received data flows conform to one or more traffic models classifying particular types of data flows as non-malicious. If the degree to which the received data flows conform to the one or more traffic models is sufficient, the traffic model manager node characterizes the received data flows as non-malicious. Otherwise, the traffic model manager node provides the received data flows to a denial of service (DoS) attack detector in the network to allow the received data flows to be scanned for potential attacks.

公开(公告)号：US20170279847A1

公开(公告)日：2017-09-28

申请号：US15154349

申请日：2016-05-13

Applicant: Cisco Technology, Inc.

Inventor： Sukrit Dasgupta ,  Jean-Philippe Vasseur ,  Andrea Di Pietro

IPC: H04L29/06 ,  G06N5/04 ,  G06N99/00 ,  H04L12/931 ,  H04L12/66

Abstract: In one embodiment, a primary networking device in a branch network receives a notification of an anomaly detected by a secondary networking device in the branch network. The primary networking device is located at an edge of the network. The primary networking device aggregates the anomaly detected by the secondary networking device and a second anomaly detected in the network into an aggregated anomaly. The primary networking device associates the aggregated anomaly with a location of the secondary networking device in the branch network. The primary networking device reports the aggregated anomaly and the associated location of the secondary networking device to a supervisory device.

公开(公告)号：US20170279832A1

公开(公告)日：2017-09-28

申请号：US15184252

申请日：2016-06-16

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur

IPC: H04L29/06 ,  H04L29/12

CPC classification number: H04L63/1425 ,  H04L61/1511 ,  H04L61/25 ,  H04L63/0281 ,  H04L63/1416 ,  H04L63/1458 ,  H04L63/1466

Abstract: In one embodiment, a device in a network receives, from a supervisory device, trace information for one or more traffic flows associated with a particular anomaly. The device remaps network addresses in the trace information to addresses of one or more nodes in the network based on roles of the one or more nodes. The device mixes, using the remapped network addresses, the trace information with traffic information regarding one or more observed traffic flows in the network, to form a set of mixed traffic information. The device analyzes the mixed traffic information using an anomaly detection model. The device provides an indication of a result of the analysis of the mixed traffic information to the supervisory device.