公开(公告)号：US20170310691A1

公开(公告)日：2017-10-26

申请号：US15176678

申请日：2016-06-08

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Sébastien Gay ,  Grégory Mermoud ,  Pierre-André Savalle ,  Alexandre Honoré ,  Fabien Flacher

IPC: H04L29/06 ,  H04L12/24 ,  G06F17/30

CPC classification number: H04L63/1425 ,  H04L41/0631 ,  H04L41/12 ,  H04L41/147 ,  H04L63/1458

Abstract: In one embodiment, a networking device at an edge of a network generates a first set of feature vectors using information regarding one or more characteristics of host devices in the network. The networking device forms the host devices into device clusters dynamically based on the first set of feature vectors. The networking device generates a second set of feature vectors using information regarding traffic associated with the device clusters. The networking device models interactions between the device clusters using a plurality of anomaly detection models that are based on the second set of feature vectors.

公开(公告)号：US10469511B2

公开(公告)日：2019-11-05

申请号：US15211093

申请日：2016-07-15

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Grégory Mermoud ,  Javier Cruz Mota ,  Laurent Sartran ,  Sébastien Gay

IPC: H04L29/06 ,  G06N5/04 ,  G06N20/00 ,  H04L12/26 ,  H04L12/24

Abstract: In one embodiment, a device in a network receives feedback regarding an anomaly reporting mechanism used by the device to report network anomalies detected by a plurality of distributed learning agents to a user interface. The device determines an anomaly assessment rate at which a user of the user interface is expected to assess reported anomalies based in part on the feedback. The device receives an anomaly notification regarding a particular anomaly detected by a particular one of the distributed learning agents. The device reports, via the anomaly reporting mechanism, the particular anomaly to the user interface based on the determined anomaly assessment rate.

公开(公告)号：US10404727B2

公开(公告)日：2019-09-03

申请号：US15176678

申请日：2016-06-08

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Sébastien Gay ,  Grégory Mermoud ,  Pierre-André Savalle ,  Alexandre Honoré ,  Fabien Flacher

IPC: H04L29/06 ,  H04L12/24

Abstract: In one embodiment, a networking device at an edge of a network generates a first set of feature vectors using information regarding one or more characteristics of host devices in the network. The networking device forms the host devices into device clusters dynamically based on the first set of feature vectors. The networking device generates a second set of feature vectors using information regarding traffic associated with the device clusters. The networking device models interactions between the device clusters using a plurality of anomaly detection models that are based on the second set of feature vectors.

公开(公告)号：US20180152466A1

公开(公告)日：2018-05-31

申请号：US15364440

申请日：2016-11-30

Applicant: Cisco Technology, Inc.

Inventor： Laurent Sartran ,  Sébastien Gay ,  Jean-Philippe Vasseur ,  Grégory Mermoud

IPC: H04L29/06

Abstract: In one embodiment, a device in a network obtains characteristic data regarding one or more traffic flows in the network. The device incrementally estimates an amount of noise associated with a machine learning feature using bootstrapping. The machine learning feature is derived from the sampled characteristic data. The device applies a filter to the estimated amount of noise associated with the machine learning feature, to determine a value for the machine learning feature. The device identifies a network anomaly that exists in the network by using the determined value for the machine learning feature as input to a machine learning-based anomaly detector. The device causes performance of an anomaly mitigation action based on the identified network anomaly.

公开(公告)号：US20180077182A1

公开(公告)日：2018-03-15

申请号：US15263487

申请日：2016-09-13

Applicant: Cisco Technology, Inc.

Inventor： Laurent Sartran ,  Sébastien Gay ,  Pierre-André Savalle ,  Grégory Mermoud ,  Jean-Philippe Vasseur

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L41/16 ,  H04L43/04 ,  H04L43/12

Abstract: In one embodiment, a device in a network receives traffic records indicative of network traffic between different sets of host address pairs. The device identifies one or more address grouping constraints for the sets of host address pairs. The device determines address groups for the host addresses in the sets of host address pairs based on the one or more address grouping constraints. The device provides an indication of the address groups to an anomaly detector.

公开(公告)号：US11140187B2

公开(公告)日：2021-10-05

申请号：US16517748

申请日：2019-07-22

Applicant: Cisco Technology, Inc.

Inventor： Laurent Sartran ,  Sébastien Gay ,  Pierre-André Savalle ,  Grégory Mermoud ,  Jean-Philippe Vasseur

IPC: H04L29/06 ,  H04L12/24 ,  H04L12/26

Abstract: In one embodiment, a device in a network receives traffic records indicative of network traffic between different sets of host address pairs. The device identifies one or more address grouping constraints for the sets of host address pairs. The device determines address groups for the host addresses in the sets of host address pairs based on the one or more address grouping constraints. The device provides an indication of the address groups to an anomaly detector.

公开(公告)号：US10659333B2

公开(公告)日：2020-05-19

申请号：US15188175

申请日：2016-06-21

Applicant: Cisco Technology, Inc.

Inventor： Laurent Sartran ,  Pierre-André Savalle ,  Jean-Philippe Vasseur ,  Grégory Mermoud ,  Javier Cruz Mota ,  Sébastien Gay

IPC: H04L12/26

Abstract: In one embodiment, a device in a network determines cluster assignments that assign traffic data regarding traffic in the network to activity level clusters based on one or more measures of traffic activity in the traffic data. The device uses the cluster assignments to predict seasonal activity for a particular subset of the traffic in the network. The device determines an activity level for new traffic data regarding the particular subset of traffic in the network. The device detects a network anomaly by comparing the activity level for the new traffic data to the predicted seasonal activity.

公开(公告)号：US10404728B2

公开(公告)日：2019-09-03

申请号：US15263487

申请日：2016-09-13

Applicant: Cisco Technology, Inc.

Inventor： Laurent Sartran ,  Sébastien Gay ,  Pierre-André Savalle ,  Grégory Mermoud ,  Jean-Philippe Vasseur

IPC: H04L29/06 ,  H04L12/24 ,  H04L12/26

Abstract: In one embodiment, a device in a network receives traffic records indicative of network traffic between different sets of host address pairs. The device identifies one or more address grouping constraints for the sets of host address pairs. The device determines address groups for the host addresses in the sets of host address pairs based on the one or more address grouping constraints. The device provides an indication of the address groups to an anomaly detector.

公开(公告)号：US20180013776A1

公开(公告)日：2018-01-11

申请号：US15205122

申请日：2016-07-08

Applicant: Cisco Technology, Inc.

Inventor： Sébastien Gay ,  Laurent Sartran ,  Jean-Philippe Vasseur

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06N99/005 ,  H04L63/20

Abstract: In one embodiment, a device in a network receives sets of traffic flow features from an unsupervised machine learning-based anomaly detector. The sets of traffic flow features are associated with anomaly scores determined by the anomaly detector. The device ranks the sets of traffic flow features based in part on their anomaly scores. The device applies a genetic programming approach to the ranked sets of traffic flow features to generate new sets of traffic flow features. The genetic programming approach uses a fitness function that is based in part on the rankings of the sets of traffic flow features. The device specializes the anomaly detector to emphasize a particular type of anomaly using the new sets of traffic flow features.

公开(公告)号：US20170279834A1

公开(公告)日：2017-09-28

申请号：US15211093

申请日：2016-07-15

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Grégory Mermoud ,  Javier Cruz Mota ,  Laurent Sartran ,  Sébastien Gay

IPC: H04L29/06 ,  G06N99/00 ,  G06N5/04

CPC classification number: H04L63/1425 ,  G06N3/006 ,  G06N20/00 ,  H04L41/147 ,  H04L43/024 ,  H04L43/062 ,  H04L43/14 ,  H04L63/02 ,  H04L63/145 ,  H04L63/1458 ,  H04L2463/144

Abstract: In one embodiment, a device in a network receives feedback regarding an anomaly reporting mechanism used by the device to report network anomalies detected by a plurality of distributed learning agents to a user interface. The device determines an anomaly assessment rate at which a user of the user interface is expected to assess reported anomalies based in part on the feedback. The device receives an anomaly notification regarding a particular anomaly detected by a particular one of the distributed learning agents. The device reports, via the anomaly reporting mechanism, the particular anomaly to the user interface based on the determined anomaly assessment rate.