公开(公告)号：US09930057B2

公开(公告)日：2018-03-27

申请号：US14874594

申请日：2015-10-05

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: H04L29/06

CPC classification number: H04L63/1425

Abstract: In one embodiment, a device in a network captures a first set of packets based on first packet capture criterion. The captured first set of packets is provided for deep packet inspection and anomaly detection. The device receives a second packet capture criterion that differs from the first packet capture criterion. The device captures a second set of packets based on the second packet capture criterion. The device provides the captured second set of packets for deep packet inspection and anomaly detection. The anomaly detection of the captured first and second sets of packets is performed by a machine learning-based anomaly detector configured to generate anomaly detection results based in part on one or more traffic metrics gathered from the network and based further in part on deep packet inspection results of packets captured in the network.

公开(公告)号：US09870537B2

公开(公告)日：2018-01-16

申请号：US14164446

申请日：2014-01-27

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Javier Cruz Mota ,  Andrea Di Pietro

IPC: H04L29/06 ,  G06N99/00 ,  G06N3/08 ,  H04L12/26 ,  H04L12/24 ,  G06N3/04

CPC classification number: G06N99/005 ,  G06N3/0454 ,  G06N3/08 ,  G06N3/084 ,  H04L41/142 ,  H04L41/16 ,  H04L43/10 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1416

Abstract: In one embodiment, a first data set is received by a network device that is indicative of the statuses of a plurality of network devices when a type of network attack is not present. A second data set is also received that is indicative of the statuses of the plurality of network devices when the type of network attack is present. At least one of the plurality simulates the type of network attack by operating as an attacking node. A machine learning model is trained using the first and second data set to identify the type of network attack. A real network attack is then identified using the trained machine learning model.

公开(公告)号：US20170279834A1

公开(公告)日：2017-09-28

申请号：US15211093

申请日：2016-07-15

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Grégory Mermoud ,  Javier Cruz Mota ,  Laurent Sartran ,  Sébastien Gay

IPC: H04L29/06 ,  G06N99/00 ,  G06N5/04

CPC classification number: H04L63/1425 ,  G06N3/006 ,  G06N20/00 ,  H04L41/147 ,  H04L43/024 ,  H04L43/062 ,  H04L43/14 ,  H04L63/02 ,  H04L63/145 ,  H04L63/1458 ,  H04L2463/144

Abstract: In one embodiment, a device in a network receives feedback regarding an anomaly reporting mechanism used by the device to report network anomalies detected by a plurality of distributed learning agents to a user interface. The device determines an anomaly assessment rate at which a user of the user interface is expected to assess reported anomalies based in part on the feedback. The device receives an anomaly notification regarding a particular anomaly detected by a particular one of the distributed learning agents. The device reports, via the anomaly reporting mechanism, the particular anomaly to the user interface based on the determined anomaly assessment rate.

公开(公告)号：US20170099310A1

公开(公告)日：2017-04-06

申请号：US14874594

申请日：2015-10-05

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: H04L29/06

CPC classification number: H04L63/1425

Abstract: In one embodiment, a device in a network captures a first set of packets based on first packet capture criterion. The captured first set of packets is provided for deep packet inspection and anomaly detection. The device receives a second packet capture criterion that differs from the first packet capture criterion. The device captures a second set of packets based on the second packet capture criterion. The device provides the captured second set of packets for deep packet inspection and anomaly detection. The anomaly detection of the captured first and second sets of packets is performed by a machine learning-based anomaly detector configured to generate anomaly detection results based in part on one or more traffic metrics gathered from the network and based further in part on deep packet inspection results of packets captured in the network.

公开(公告)号：US09563854B2

公开(公告)日：2017-02-07

申请号：US14164456

申请日：2014-01-27

Applicant: Cisco Technology, Inc.

Inventor： Javier Cruz Mota ,  Jean-Philippe Vasseur ,  Andrea Di Pietro

IPC: G06F15/18 ,  G06N99/00 ,  G06N3/08 ,  G06N3/04 ,  G06F21/57 ,  H04L29/06

CPC classification number: G06N99/005 ,  G06F21/577 ,  G06N3/0454 ,  G06N3/08 ,  G06N3/084 ,  H04L63/1425 ,  H04L63/1458

Abstract: In one embodiment, a device determines that a machine learning model is to be trained by a plurality of devices in a network. A set of training devices are identified from among the plurality of devices to train the model, with each of the training devices having a local set of training data. An instruction is then sent to each of the training devices that is configured to cause a training device to receive model parameters from a first training device in the set, use the parameters with at least a portion of the local set of training data to generate new model parameters, and forward the new model parameters to a second training device in the set. Model parameters from the training devices are also received that have been trained using a global set of training data that includes the local sets of training data on the training devices.

Abstract translation: 在一个实施例中，设备确定机器学习模型将被网络中的多个设备训练。 从多个装置中识别出一组训练装置来训练模型，每个训练装置具有本地的一组训练数据。 然后将指令发送到被配置为使得训练设备从组中的第一训练设备接收模型参数的每个训练设备，使用与本地训练数据集合的至少一部分的参数来生成新的 模型参数，并将新模型参数转发到集合中的第二训练装置。 还接收来自训练装置的模型参数，该参数已经使用包括训练装置上的训练数据的本地训练数据的全局训练数据训练。

公开(公告)号：US09411916B2

公开(公告)日：2016-08-09

申请号：US14165092

申请日：2014-01-27

Applicant: Cisco Technology, Inc.

Inventor： Javier Cruz Mota ,  Jean-Philippe Vasseur ,  Andrea Di Pietro

IPC: G06F17/00 ,  G06N5/02 ,  G06F17/50

CPC classification number: G06F17/5009 ,  G06N99/005 ,  Y02E60/76 ,  Y04S40/22

Abstract: In one embodiment, techniques are shown and described relating to a distributed approach for feature modeling on an LLN using principal component analysis. In one specific embodiment, a computer network has a plurality of nodes and a router. The router is configured to select one or more nodes of the plurality of nodes that will collaborate with the router for collectively computing a model of respective features for input to a Principal Component Analysis (PCA) model. In addition, the selected one or more nodes and the router are configured to perform a distributed computation of a PCA model between the router and the selected one or more nodes.

Abstract translation: 在一个实施例中，示出和描述了关于使用主成分分析在LLN上进行特征建模的分布式方法的技术。 在一个具体实施例中，计算机网络具有多个节点和路由器。 路由器被配置为选择将与路由器协作的多个节点中的一个或多个节点，以共同计算用于输入到主成分分析（PCA）模型的各个特征的模型。 此外，所选择的一个或多个节点和路由器被配置为在路由器和所选择的一个或多个节点之间执行PCA模型的分布式计算。

公开(公告)号：US20150326609A1

公开(公告)日：2015-11-12

申请号：US14273108

申请日：2014-05-08

Applicant: Cisco Technology, Inc.

Inventor： Javier Cruz Mota ,  Jean-Philippe Vasseur ,  Andrea Di Pietro

IPC: H04L29/06

CPC classification number: H04L41/30 ,  G06Q10/10 ,  H04K3/22 ,  H04K2203/18 ,  H04L12/185 ,  H04L41/16 ,  H04L63/1425 ,  H04L63/1458 ,  H04L63/20 ,  H04L67/12 ,  H04W12/12

Abstract: In one embodiment, possible voting nodes in a network are identified. The possible voting nodes each execute a classifier that is configured to select a label from among a plurality of labels based on a set of input features. A set of one or more eligible voting nodes is selected from among the possible voting nodes based on a network policy. Voting requests are then provided to the one or more eligible voting nodes that cause the one or more eligible voting nodes to select labels from among the plurality of labels. Votes are received from the eligible voting nodes that include the selected labels and are used to determine a voting result.

Abstract translation: 在一个实施例中，识别网络中的可能的投票节点。 可能的投票节点每个执行分类器，其被配置为基于一组输入特征从多个标签中选择标签。 基于网络策略从可能的投票节点中选择一组或多个合格投票节点。 然后将投票请求提供给一个或多个符合条件的投票节点，导致一个或多个合格投票节点从多个标签中选择标签。 从包括所选标签的合格投票节点收到投票，并用于确定投票结果。

公开(公告)号：US20150326598A1

公开(公告)日：2015-11-12

申请号：US14270759

申请日：2014-05-06

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Javier Cruz Mota ,  Andrea Di Pietro

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/10 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/20

Abstract: In one embodiment, attack detectability metrics are received from nodes along a path in a network. The attack detectability metrics from the nodes along the path are used to compute a path attack detectability value. A determination is made as to whether the path attack detectability value satisfies a network policy and one or more routing paths in the network are adjusted based on the path attack detectability value not satisfying the network policy.

Abstract translation: 在一个实施例中，沿着网络中的路径的节点接收攻击可检测性度量。 沿着路径的节点的攻击可检测性度量用于计算路径攻击可检测性值。 确定路径攻击可检测性值是否满足网络策略，并且基于不满足网络策略的路径攻击可检测性值来调整网络中的一个或多个路由路径。

公开(公告)号：US20150324582A1

公开(公告)日：2015-11-12

申请号：US14273676

申请日：2014-05-09

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Jean-Philippe Vasseur ,  Andrea Di Pietro ,  Javier Cruz Mota

IPC: G06F21/55

CPC classification number: G06F21/554 ,  H04L63/1408 ,  H04W12/12 ,  H04W84/18

Abstract: In one embodiment, a network node receives a voting request from a neighboring node that indicates a potential network attack. The network node determines a set of feature values to be used as input to a classifier based on the voting request. The network node also determines whether the potential network attack is present by using the set of feature values as input to the classifier. The network node further sends a vote to the neighboring node that indicates whether the potential network attack was determined to be present.

Abstract translation: 在一个实施例中，网络节点从指示潜在的网络攻击的相邻节点接收投票请求。 网络节点基于投票请求确定要用作分类器的输入的一组特征值。 网络节点还通过使用一组特征值作为分类器的输入来确定潜在的网络攻击是否存在。 网络节点还向相邻节点发送表示是否确定潜在网络攻击存在的投票。

公开(公告)号：US20150193695A1

公开(公告)日：2015-07-09

申请号：US14164456

申请日：2014-01-27

Applicant: Cisco Technology, Inc.

Inventor： Javier Cruz Mota ,  Jean-Philippe Vasseur ,  Andrea Di Pietro

IPC: G06N99/00 ,  G06N3/08

CPC classification number: G06N99/005 ,  G06F21/577 ,  G06N3/0454 ,  G06N3/08 ,  G06N3/084 ,  H04L63/1425 ,  H04L63/1458

Abstract: In one embodiment, a device determines that a machine learning model is to be trained by a plurality of devices in a network. A set of training devices are identified from among the plurality of devices to train the model, with each of the training devices having a local set of training data. An instruction is then sent to each of the training devices that is configured to cause a training device to receive model parameters from a first training device in the set, use the parameters with at least a portion of the local set of training data to generate new model parameters, and forward the new model parameters to a second training device in the set. Model parameters from the training devices are also received that have been trained using a global set of training data that includes the local sets of training data on the training devices.

Abstract translation: 在一个实施例中，设备确定机器学习模型将被网络中的多个设备训练。 从多个装置中识别出一组训练装置来训练模型，每个训练装置具有本地的一组训练数据。 然后将指令发送到被配置为使培训设备从组中的第一训练设备接收模型参数的每个训练设备，使用与本地训练数据集合的至少一部分的参数来生成新的 模型参数，并将新模型参数转发到集合中的第二训练装置。 还接收来自训练装置的模型参数，该参数已经使用包括训练装置上的训练数据的本地训练数据的全局训练数据进行训练。