公开(公告)号：US20190372859A1

公开(公告)日：2019-12-05

申请号：US15996645

申请日：2018-06-04

Applicant: Cisco Technology, Inc.

Inventor： Grégory Mermoud ,  Jean-Philippe Vasseur ,  Andrea Di Pietro ,  Erwan Barry Tarik Zerhouni

IPC: H04L12/24 ,  H04L12/26 ,  G06F21/62 ,  G06N99/00

Abstract: In one embodiment, a network assurance service executing in a local network clusters measurements obtained from the local network regarding a plurality of devices in the local network into measurement clusters. The network assurance service computes aggregated metrics for each of the measurement clusters. The network assurance service sends a machine learning model computation request to a remote service outside of the local network that includes the aggregated metrics for each of the measurement clusters. The remote service uses the aggregated metrics to train a machine learning-based model to analyze the local network. The network assurance service receives the trained machine learning-based model to analyze performance of the local network. The network assurance service uses the receive machine learning-based model to analyze performance of the local network.

公开(公告)号：US20190238443A1

公开(公告)日：2019-08-01

申请号：US15880689

申请日：2018-01-26

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota ,  Grégory Mermoud

IPC: H04L12/26 ,  H04L12/24

Abstract: In one embodiment, a local service of a network reports configuration information regarding the network to a cloud-based network assurance service. The local service receives a classifier selected by the cloud-based network assurance service based on the configuration information regarding the network. The local service classifies, using the received classifier, telemetry data collected from the network, to select a modeling strategy for the network. The local service installs, based on the modeling strategy for the network, a machine learning-based model to the local service for monitoring the network.

公开(公告)号：US10009364B2

公开(公告)日：2018-06-26

申请号：US15212430

申请日：2016-07-18

Applicant: Cisco Technology, Inc.

Inventor： Sukrit Dasgupta ,  Jean-Philippe Vasseur ,  Andrea Di Pietro

IPC: H04L29/06 ,  H04L12/851 ,  H04L12/26

CPC classification number: H04L63/1425 ,  H04L41/142 ,  H04L41/16 ,  H04L43/026 ,  H04L43/04 ,  H04L43/16 ,  H04L45/00 ,  H04L47/2483 ,  H04L63/1416 ,  H04L63/1458

Abstract: In one embodiment, a first device in a network identifies a first traffic flow between two endpoints that traverses the first device in a first direction. The first device receives information from a second device in the network regarding a second traffic flow between the two endpoints that traverses the second device in a second direction that is opposite that of the first direction. The first device merges characteristics of the first traffic flow captured by the first device with characteristics of the second traffic flow captured by the second device and included in the information received from the second device, to form an input feature set. The first device detects an anomaly in the network by analyzing the input feature set using a machine learning-based anomaly detector.

公开(公告)号：US20180146007A1

公开(公告)日：2018-05-24

申请号：US15863257

申请日：2018-01-05

Applicant: Cisco Technology, Inc.

Inventor： Javier Cruz Mota ,  Jean-Philippe Vasseur ,  Andrea Di Pietro

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/1416

Abstract: In one embodiment, a traffic model manager node receives data flows in a network and determines a degree to which the received data flows conform to one or more traffic models classifying particular types of data flows as non-malicious. If the degree to which the received data flows conform to the one or more traffic models is sufficient, the traffic model manager node characterizes the received data flows as non-malicious. Otherwise, the traffic model manager node provides the received data flows to a denial of service (DoS) attack detector in the network to allow the received data flows to be scanned for potential attacks.

公开(公告)号：US20170279837A1

公开(公告)日：2017-09-28

申请号：US15212430

申请日：2016-07-18

Applicant: Cisco Technology, Inc.

Inventor： Sukrit Dasgupta ,  Jean-Philippe Vasseur ,  Andrea Di Pietro

IPC: H04L29/06 ,  H04L12/26 ,  H04L12/851

CPC classification number: H04L63/1425 ,  H04L43/16 ,  H04L45/00 ,  H04L47/2483 ,  H04L63/1416 ,  H04L63/1458

Abstract: In one embodiment, a first device in a network identifies a first traffic flow between two endpoints that traverses the first device in a first direction. The first device receives information from a second device in the network regarding a second traffic flow between the two endpoints that traverses the second device in a second direction that is opposite that of the first direction. The first device merges characteristics of the first traffic flow captured by the first device with characteristics of the second traffic flow captured by the second device and included in the information received from the second device, to form an input feature set. The first device detects an anomaly in the network by analyzing the input feature set using a machine learning-based anomaly detector.

公开(公告)号：US20170279831A1

公开(公告)日：2017-09-28

申请号：US15182190

申请日：2016-06-14

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Sukrit Dasgupta

IPC: H04L29/06 ,  H04L12/26 ,  H04L29/08

CPC classification number: H04L63/1425 ,  G06Q10/063 ,  G06Q50/01 ,  H04L43/0894 ,  H04L63/0236 ,  H04L63/0263 ,  H04L67/02 ,  H04L67/146

Abstract: In one embodiment, a device in a network identifies a universal resource locator (URL) from traffic destined for the URL that triggered a first anomaly detected by an anomaly detector. The device reports the first anomaly and the identified URL to a supervisory device in the network. The device receives a URL filter rule for the URL. The URL filter rule is configured to affect anomaly scores generated by the anomaly detector for traffic destined for the URL or a domain associated with the URL. The device uses the URL filter rule to adjust an anomaly score for a second anomaly detected by the anomaly detector based on the second anomaly involving traffic destined for the URL or the domain associated with the URL.

公开(公告)号：US20170279829A1

公开(公告)日：2017-09-28

申请号：US15180540

申请日：2016-06-13

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Grégory Mermoud ,  Pierre-André Savalle ,  Andrea Di Pietro ,  Sukrit Dasgupta

IPC: H04L29/06 ,  H04L12/24

CPC classification number: H04L63/1425 ,  G06N99/005 ,  H04L41/0893 ,  H04L63/0236 ,  H04L63/1458 ,  H04L63/20 ,  H04L67/303 ,  H04L2463/142 ,  H04L2463/144

Abstract: In one embodiment, a networking device in a network causes formation of device clusters of devices in the network. The devices in a particular cluster exhibit similar characteristics. The networking device receives feedback from a device identity service regarding the device clusters. The feedback is based in part on the device identity service probing the devices. The networking device adjusts the device clusters based on the feedback from the device identity service. The networking device performs anomaly detection in the network using the adjusted device clusters.

公开(公告)号：US09705914B2

公开(公告)日：2017-07-11

申请号：US14338719

申请日：2014-07-23

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: H04L29/06 ,  G06F21/53 ,  G06F21/56 ,  G06F21/55

CPC classification number: H04L63/1458 ,  G06F21/53 ,  G06F21/55 ,  G06F21/56 ,  G06F21/566 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1441 ,  H04W12/12

Abstract: In one embodiment, a device in a network generates an expected traffic model based on a training set of data used to train a machine learning attack detector. The device provides the expected traffic model to one or more nodes in the network. The device receives an unexpected behavior notification from a particular node of the one or more nodes. The particular node generates the unexpected behavior notification based on a comparison between the expected traffic model and an observed traffic behavior by the node. The particular node also prevents the machine learning attack detector from analyzing the observed traffic behavior. The device updates the machine learning attack detector to account for the observed traffic behavior.

公开(公告)号：US09559918B2

公开(公告)日：2017-01-31

申请号：US14278532

申请日：2014-05-15

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: G06F11/00 ,  H04L12/26 ,  H04L29/06 ,  H04L29/08 ,  H04L12/24

CPC classification number: H04L43/04 ,  H04L41/30 ,  H04L63/1408 ,  H04L63/1458 ,  H04L67/04 ,  H04L67/12 ,  H04L2463/141

Abstract: In one embodiment, attack observations by a first node are provided to a user interface device regarding an attack detected by the node. Input from the user interface device is received that confirms that a particular attack observation by the first node indicates that the attack was detected correctly by the first node. Attack observations by one or more other nodes are provided to the user interface device. Input is received from the user interface device that confirms whether the attack observations by the first node and the attack observations by the one or more other nodes are both related to the attack. The one or more other nodes are identified as potential voters for the first node in a voting-based attack detection mechanism based on the attack observations from the first node and the one or more other nodes being related.

Abstract translation: 在一个实施例中，第一节点的攻击观察被提供给用户接口设备关于由该节点检测到的攻击。 接收到来自用户界面设备的输入，其确认第一节点的特定攻击观察指示第一节点正确地检测到攻击。 一个或多个其他节点的攻击观察被提供给用户界面设备。 从用户接口设备接收输入，确认第一节点的攻击观察和一个或多个其他节点的攻击观察是否与攻击有关。 基于来自第一节点和一个或多个其他相关节点的攻击观察，基于投票的攻击检测机制中的一个或多个其他节点被识别为第一节点的潜在选民。

公开(公告)号：US09286473B2

公开(公告)日：2016-03-15

申请号：US14165439

申请日：2014-01-27

Applicant: Cisco Technology, Inc.

Inventor： Javier Cruz Mota ,  Jean-Philippe Vasseur ,  Andrea Di Pietro ,  Jonathan W. Hui

IPC: G06F21/55 ,  H04W12/12

CPC classification number: G06F21/554 ,  H04W12/12

Abstract: In one embodiment, techniques are shown and described relating to quarantine-based mitigation of effects of a local DoS attack. A management device may receive data indicating that one or more nodes in a shared-media communication network are under attack by an attacking node. The management device may then communicate a quarantine request packet to the one or more nodes under attack, the quarantine request packet providing instructions to the one or more nodes under attack to alter their frequency hopping schedule without allowing the attacking node to learn of the altered frequency hopping schedule.

Abstract translation: 在一个实施例中，显示和描述与基于隔离的缓解本地DoS攻击的影响相关的技术。 管理设备可以接收指示共享媒体通信网络中的一个或多个节点受攻击节点攻击的数据。 然后，管理设备可以向被攻击的一个或多个节点传送隔离请求分组，所述隔离请求分组向被攻击的一个或多个节点提供指令以改变其跳频计划，而不允许攻击节点学习改变的频率 跳跃时间表。