公开(公告)号：US10044741B2

公开(公告)日：2018-08-07

申请号：US15632993

申请日：2017-06-26

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Sukrit Dasgupta ,  Thomas Reuther

IPC: H04L12/26 ,  H04L29/06

Abstract: In one embodiment, a first device in a network receives traffic flow data from a plurality of devices in the network. The traffic flow data from at least one of the plurality of devices comprises raw packets of a traffic flow. The first device selects a set of reporting devices from among the plurality of devices based on the received traffic flow data. The first device provides traffic flow reporting instructions to the selected set of reporting devices. The traffic flow reporting instructions cause each reporting device to provide sampled traffic flow data to an anomaly detection device.

公开(公告)号：US10009364B2

公开(公告)日：2018-06-26

申请号：US15212430

申请日：2016-07-18

Applicant: Cisco Technology, Inc.

Inventor： Sukrit Dasgupta ,  Jean-Philippe Vasseur ,  Andrea Di Pietro

IPC: H04L29/06 ,  H04L12/851 ,  H04L12/26

CPC classification number: H04L63/1425 ,  H04L41/142 ,  H04L41/16 ,  H04L43/026 ,  H04L43/04 ,  H04L43/16 ,  H04L45/00 ,  H04L47/2483 ,  H04L63/1416 ,  H04L63/1458

Abstract: In one embodiment, a first device in a network identifies a first traffic flow between two endpoints that traverses the first device in a first direction. The first device receives information from a second device in the network regarding a second traffic flow between the two endpoints that traverses the second device in a second direction that is opposite that of the first direction. The first device merges characteristics of the first traffic flow captured by the first device with characteristics of the second traffic flow captured by the second device and included in the information received from the second device, to form an input feature set. The first device detects an anomaly in the network by analyzing the input feature set using a machine learning-based anomaly detector.

公开(公告)号：US20180124086A1

公开(公告)日：2018-05-03

申请号：US15801807

申请日：2017-11-02

Applicant: Cisco Technology, Inc.

Inventor： Fabien Flacher ,  Grégory Mermoud ,  Jean-Philippe Vasseur ,  Sukrit Dasgupta

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L63/1458

Abstract: In one embodiment, a device in a network analyzes data indicative of a behavior of a network using a supervised anomaly detection model. The device determines whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data. The device trains an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervised anomaly detection model.

公开(公告)号：US20180041409A1

公开(公告)日：2018-02-08

申请号：US15711521

申请日：2017-09-21

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Sukrit Dasgupta

IPC: H04L12/26 ,  H04L29/06 ,  H04L12/28

CPC classification number: H04L43/062 ,  H04L12/2854 ,  H04L41/0681 ,  H04L43/0852 ,  H04L43/12 ,  H04L43/16 ,  H04L63/00 ,  H04L63/1425

Abstract: In one embodiment, a network device routes traffic along a network path and receives a performance threshold crossing alert regarding performance of the network path. The network device detects that the performance threshold crossing alert is part of a potential network attack by analyzing, by the device, the performance threshold crossing alert. The network device also provides a notification of the detected network attack.

公开(公告)号：US09853882B2

公开(公告)日：2017-12-26

申请号：US14589421

申请日：2015-01-05

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Sukrit Dasgupta

IPC: H04L12/56 ,  H04L12/707 ,  H04L12/727 ,  H04L12/725 ,  H04L12/863 ,  H04L12/26 ,  H04L12/729 ,  H04L12/703 ,  H04L12/24

CPC classification number: H04L45/22 ,  H04L41/147 ,  H04L43/0888 ,  H04L45/125 ,  H04L45/28 ,  H04L47/50

Abstract: In one embodiment, a device in a network receives a switchover policy for a particular type of traffic in the network. The device determines a predicted effect of directing a traffic flow of the particular type of traffic from a first path in the network to a second path in the network. The device determines whether the predicted effect of directing the traffic flow to the second path would violate the switchover policy. The device causes the traffic flow to be routed via the second path in the network, based on a determination that the predicted effect of directing the traffic flow to the second path would not violate the switchover policy for the particular type of traffic.

公开(公告)号：US20170279837A1

公开(公告)日：2017-09-28

申请号：US15212430

申请日：2016-07-18

Applicant: Cisco Technology, Inc.

Inventor： Sukrit Dasgupta ,  Jean-Philippe Vasseur ,  Andrea Di Pietro

IPC: H04L29/06 ,  H04L12/26 ,  H04L12/851

CPC classification number: H04L63/1425 ,  H04L43/16 ,  H04L45/00 ,  H04L47/2483 ,  H04L63/1416 ,  H04L63/1458

Abstract: In one embodiment, a first device in a network identifies a first traffic flow between two endpoints that traverses the first device in a first direction. The first device receives information from a second device in the network regarding a second traffic flow between the two endpoints that traverses the second device in a second direction that is opposite that of the first direction. The first device merges characteristics of the first traffic flow captured by the first device with characteristics of the second traffic flow captured by the second device and included in the information received from the second device, to form an input feature set. The first device detects an anomaly in the network by analyzing the input feature set using a machine learning-based anomaly detector.

公开(公告)号：US20170279831A1

公开(公告)日：2017-09-28

申请号：US15182190

申请日：2016-06-14

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Sukrit Dasgupta

IPC: H04L29/06 ,  H04L12/26 ,  H04L29/08

CPC classification number: H04L63/1425 ,  G06Q10/063 ,  G06Q50/01 ,  H04L43/0894 ,  H04L63/0236 ,  H04L63/0263 ,  H04L67/02 ,  H04L67/146

Abstract: In one embodiment, a device in a network identifies a universal resource locator (URL) from traffic destined for the URL that triggered a first anomaly detected by an anomaly detector. The device reports the first anomaly and the identified URL to a supervisory device in the network. The device receives a URL filter rule for the URL. The URL filter rule is configured to affect anomaly scores generated by the anomaly detector for traffic destined for the URL or a domain associated with the URL. The device uses the URL filter rule to adjust an anomaly score for a second anomaly detected by the anomaly detector based on the second anomaly involving traffic destined for the URL or the domain associated with the URL.

公开(公告)号：US20170279829A1

公开(公告)日：2017-09-28

申请号：US15180540

申请日：2016-06-13

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Grégory Mermoud ,  Pierre-André Savalle ,  Andrea Di Pietro ,  Sukrit Dasgupta

IPC: H04L29/06 ,  H04L12/24

CPC classification number: H04L63/1425 ,  G06N99/005 ,  H04L41/0893 ,  H04L63/0236 ,  H04L63/1458 ,  H04L63/20 ,  H04L67/303 ,  H04L2463/142 ,  H04L2463/144

Abstract: In one embodiment, a networking device in a network causes formation of device clusters of devices in the network. The devices in a particular cluster exhibit similar characteristics. The networking device receives feedback from a device identity service regarding the device clusters. The feedback is based in part on the device identity service probing the devices. The networking device adjusts the device clusters based on the feedback from the device identity service. The networking device performs anomaly detection in the network using the adjusted device clusters.

公开(公告)号：US09577937B2

公开(公告)日：2017-02-21

申请号：US14338870

申请日：2014-07-23

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Sukrit Dasgupta

IPC: H04L12/803 ,  H04L12/815 ,  H04L12/911 ,  H04L12/825 ,  H04L12/28 ,  H04L12/24 ,  H04L12/26 ,  H04L12/853

CPC classification number: H04L47/122 ,  H04L12/28 ,  H04L41/0816 ,  H04L43/08 ,  H04L47/22 ,  H04L47/2416 ,  H04L47/26 ,  H04L47/823

Abstract: In one embodiment, a device in a network receives an indication of a traffic shaping rate adjustment by a node due to a network condition. The device identifies a set of network nodes that are associated with the network condition. The device detects a traffic shaping rules violation by an offending node in the set of network nodes. The device sends an instruction that causes the offending node to use a different traffic shaping rate.

Abstract translation: 在一个实施例中，网络中的设备由于网络状况而接收节点的流量整形速率调整的指示。 该设备识别与网络条件相关联的一组网络节点。 该设备检测网络节点集中的违规节点违反流量整形规则。 设备发送一个指令，导致违规节点使用不同的流量整形速率。

公开(公告)号：US09565111B2

公开(公告)日：2017-02-07

申请号：US13953040

申请日：2013-07-29

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Grégory Mermoud ,  Sukrit Dasgupta

IPC: H04L12/803 ,  H04L12/729 ,  H04L12/721

CPC classification number: H04L47/122 ,  H04L45/125 ,  H04L45/127

Abstract: In one embodiment, techniques are shown and described relating to a mixed centralized/distributed algorithm for risk mitigation in sparsely connected networks. In particular, in one embodiment, a management node determines one or more weak point nodes in a shared-media communication network, where a weak point node is a node traversed by a relatively high amount of traffic as compared to other nodes in the network. In response to determining that a portion of the traffic can be routed over an alternate acceptable node, the management node instructs the portion of traffic to reroute over the alternate acceptable node.

Abstract translation: 在一个实施例中，显示和描述与稀疏连接网络中的风险缓解的混合集中/分布式算法有关的技术。 特别地，在一个实施例中，管理节点确定共享 - 媒体通信网络中的一个或多个弱点节点，其中弱点节点是与网络中的其他节点相比较的由相对较高数量的业务量穿过的节点。 响应于确定业务的一部分可以在备用可接受节点上路由，管理节点指示业务部分重新路由替代可接受节点。