公开(公告)号：US20170099309A1

公开(公告)日：2017-04-06

申请号：US14874591

申请日：2015-10-05

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L63/1416

Abstract: In one embodiment, a device in a network analyzes data regarding a detected anomaly in the network. The device determines whether the detected anomaly is a false positive. The device generates a white label for the detected anomaly based on a determination that the detected anomaly is a false positive. The device causes one or more alerts regarding the detected anomaly to be suppressed using the generated white label for the anomaly.

公开(公告)号：US09503466B2

公开(公告)日：2016-11-22

申请号：US14164482

申请日：2014-01-27

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Javier Cruz Mota ,  Andrea Di Pietro

IPC: G06N3/08 ,  H04L29/06 ,  G06N99/00 ,  H04L12/26 ,  G06N3/02 ,  H04L12/24 ,  H04L12/801 ,  H04L12/855 ,  H04L12/891 ,  H04L12/753

CPC classification number: H04L63/1425 ,  G06N3/02 ,  G06N3/08 ,  G06N3/084 ,  G06N99/005 ,  H04L41/16 ,  H04L43/0876 ,  H04L45/48 ,  H04L47/127 ,  H04L47/2466 ,  H04L47/41

Abstract: In one embodiment, a first network device receives a notification that the first network device has been selected to validate a machine learning model for a second network device. The first network device receives model parameters for the machine learning model that were generated by the second network device using training data on the second network device. The model parameters are used with local data on the first network device to determine performance metrics for the model parameters. The performance metrics are then provided to the second network device.

Abstract translation: 在一个实施例中，第一网络设备接收第一网络设备已经被选择以验证第二网络设备的机器学习模型的通知。 第一网络设备接收由第二网络设备使用第二网络设备上的训练数据生成的机器学习模型的模型参数。 模型参数与第一个网络设备上的本地数据一起使用，以确定模型参数的性能指标。 然后将性能度量提供给第二网络设备。

公开(公告)号：US09497215B2

公开(公告)日：2016-11-15

申请号：US14338653

申请日：2014-07-23

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Andrea Di Pietro ,  Javier Cruz Mota

IPC: G06F11/00 ,  H04L29/06 ,  G06F12/14

CPC classification number: H04L63/1458 ,  H04L63/1416 ,  H04L2463/141

Abstract: In one embodiment, attack traffic corresponding to a detected DoS attack from one or more attacker nodes is received at a denial of service (DoS) attack management node in a network. The DoS attack management node determines attack information relating to the attack traffic, including a type of the DoS attack and an intended target of the DoS attack. Then, the DoS attack management node triggers an attack mimicking action based on the attack information, where the attack mimicking action mimics a behavior of the intended target of the DoS attack that would be expected by the one or more attacker nodes if the DoS attack were successful.

Abstract translation: 在一个实施例中，在网络中的拒绝服务（DoS）攻击管理节点处接收与来自一个或多个攻击者节点的检测到的DoS攻击相对应的攻击流量。 DoS攻击管理节点确定与攻击流量相关的攻击信息，包括DoS攻击的类型和DoS攻击的预期目标。 然后，DoS攻击管理节点基于攻击信息触发攻击模拟动作，其中攻击模拟动作模仿DoS攻击的预期目标的行为，如果DoS攻击是由一个或多个攻击者节点预期的 成功

公开(公告)号：US09407646B2

公开(公告)日：2016-08-02

申请号：US14338909

申请日：2014-07-23

Applicant: Cisco Technology, Inc.

Inventor： Javier Cruz Mota ,  Andrea Di Pietro ,  Jean-Philippe Vasseur

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  H04L63/1425 ,  H04L63/1458

Abstract: In one embodiment, a device in a network detects a network attack using aggregated metrics for a set of traffic data. In response to detecting the network attack, the device causes the traffic data to be clustered into a set of traffic data clusters. The device causes one or more attack detectors to analyze the traffic data clusters. The device causes the traffic data clusters to be segregated into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic based on an analysis of the clusters by the one or more attack detectors.

Abstract translation: 在一个实施例中，网络中的设备使用用于一组业务数据的聚合度量来检测网络攻击。 响应于检测到网络攻击，该设备使业务数据被聚集成一组业务数据集群。 该设备使一个或多个攻击检测器分析流量数据集群。 基于对一个或多个攻击检测器的分析，该设备使得交通数据集群被分离成一组一个或多个与攻击有关的集群，并且分组成与一般业务相关的一个或多个集群的集合。

公开(公告)号：US09369351B2

公开(公告)日：2016-06-14

申请号：US14164507

申请日：2014-01-27

Applicant: Cisco Technology, Inc.

Inventor： Andrea Di Pietro ,  Jean-Philippe Vasseur ,  Javier Cruz Mota

IPC: H04L12/24 ,  H04L12/805 ,  H04W24/02 ,  H04L12/751 ,  H04L12/803 ,  H04L12/26 ,  H04W24/04 ,  H04L12/721

CPC classification number: H04L41/5025 ,  H04L41/12 ,  H04L43/0852 ,  H04L45/02 ,  H04L45/70 ,  H04L47/122 ,  H04L47/365 ,  H04W24/02 ,  H04W24/04 ,  Y04S40/164

Abstract: In one embodiment, statistical information is collected relating to one or both of communication link quality or channel quality in a frequency-hopping network, in which packets are sent according to a frequency-hopping schedule that defines one or more timeslots, each timeslot corresponding to a transmission frequency. Also, a performance metric of a particular transmission frequency corresponding to a scheduled timeslot is predicted based on the collected statistical information. Based on the predicted performance metric, it is determined whether a transmitting node in the frequency-hopping network should transmit a packet during the scheduled timeslot using the particular transmission channel or wait until a subsequent timeslot to transmit the packet using another transmission frequency.

Abstract translation: 在一个实施例中，收集关于跳频网络中的通信链路质量或信道质量中的一个或两个的统计信息，其中根据定义一个或多个时隙的跳频调度发送分组，每个时隙对应于 传输频率。 此外，基于收集的统计信息来预测对应于调度时隙的特定传输频率的性能度量。 基于预测的性能度量，确定跳频网络中的发送节点是否应该在调度时隙期间使用特定传输信道发送分组，或者等待直到后续时隙来使用另一个传输频率来发送分组。

公开(公告)号：US09294488B2

公开(公告)日：2016-03-22

申请号：US14165415

申请日：2014-01-27

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Javier Cruz Mota ,  Andrea Di Pietro ,  Jonathan W. Hui

IPC: H04L29/06 ,  G06N99/00 ,  H04W12/12

CPC classification number: H04L63/1416 ,  G06N99/005 ,  H04K3/226 ,  H04K2203/18 ,  H04L63/1441 ,  H04L63/1458 ,  H04W12/12

Abstract: In one embodiment, a control loop control using a broadcast channel may be used to communicate with a node under attack. A management device may receive data indicating that one or more nodes in a computer network are under attack. The management device may then determine that one or more intermediate nodes are in proximity to the one or more nodes under attack, and communicate an attack-mitigation packet to the one or more nodes under attack by using the one or more intermediate nodes to relay the attack-mitigation packet to the one or more nodes under attack.

Abstract translation: 在一个实施例中，使用广播信道的控制环路控制可以用于与被攻击的节点进行通信。 管理设备可以接收指示计算机网络中的一个或多个节点受到攻击的数据。 然后，管理设备可以确定一个或多个中间节点处于受攻击的一个或多个节点附近，并且通过使用一个或多个中间节点将攻击缓解分组传送给被攻击的一个或多个节点，以将中继节点中继 攻击缓解包到被攻击的一个或多个节点。

公开(公告)号：US20160028763A1

公开(公告)日：2016-01-28

申请号：US14338582

申请日：2014-07-23

Applicant: Cisco Technology, Inc.

Inventor： Javier Cruz Mota ,  Jean-Philippe Vasseur ,  Andrea Di Pietro

IPC: H04L29/06 ,  G06F17/30

CPC classification number: H04L63/1458 ,  H04L63/1416

Abstract: In one embodiment, a traffic model manager node receives data flows in a network and determines a degree to which the received data flows conform to one or more traffic models classifying particular types of data flows as non-malicious. If the degree to which the received data flows conform to the one or more traffic models is sufficient, the traffic model manager node characterizes the received data flows as non-malicious. Otherwise, the traffic model manager node provides the received data flows to a denial of service (DoS) attack detector in the network to allow the received data flows to be scanned for potential attacks.

Abstract translation: 在一个实施例中，业务模型管理器节点接收网络中的数据流，并确定所接收的数据流遵循一个或多个将特定类型的数据流分类为非恶意的业务模型的程度。 如果接收到的数据流符合一个或多个业务模型的程度就足够了，则流量模型管理器节点将接收到的数据流表征为非恶意的。 否则，流量模型管理器节点将接收到的数据流提供给网络中的拒绝服务（DoS）攻击检测器，以允许接收到的数据流被扫描以进行潜在的攻击。

公开(公告)号：US20160028751A1

公开(公告)日：2016-01-28

申请号：US14338751

申请日：2014-07-23

Applicant: Cisco Technology, Inc.

Inventor： Javier Cruz Mota ,  Andrea Di Pietro ,  Jean-Philippe Vasseur

IPC: H04L29/06

CPC classification number: H04L63/1408 ,  H04L63/1458 ,  H04L63/1466 ,  H04W4/70 ,  H04W12/12

Abstract: In one embodiment, a device in a network receives a set of output label dependencies for a set of attack detectors. The device identifies applied labels that were applied by the attack detectors to input data regarding a network, the applied labels being associated with probabilities. The device determines a combined probability for two or more of the applied labels based on the output label dependencies and the probabilities associated with the two or more labels. The device selects one of the applied labels as a finalized label for the input data based on the probabilities associated with the applied labels and on the combined probability for the two or more labels.

Abstract translation: 在一个实施例中，网络中的设备接收一组攻击检测器的一组输出标签依赖性。 设备识别由攻击检测器应用的应用标签以输入关于网络的数据，所应用的标签与概率相关联。 该设备基于输出标签依赖性和与两个或多个标签相关联的概率来确定两个或多个应用标签的组合概率。 设备根据与应用标签相关联的概率和两个或多个标签的组合概率，将所应用的标签之一选择为输入数据的最终标签。

公开(公告)号：US20150195296A1

公开(公告)日：2015-07-09

申请号：US14164475

申请日：2014-01-27

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Jean-Philippe Vasseur ,  Javier Cruz Mota ,  Andrea Di Pietro

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06N3/02 ,  G06N3/08 ,  G06N3/084 ,  G06N99/005 ,  H04L41/16 ,  H04L43/0876 ,  H04L45/48 ,  H04L47/127 ,  H04L47/2466 ,  H04L47/41

Abstract: In one embodiment, a training request is sent to a plurality of nodes in a network to cause the nodes to generate statistics regarding unicast and broadcast message reception rates associated with the nodes. The statistics are received from the nodes and a statistical model is generated using the received statistics and is configured to detect a network attack by comparing unicast and broadcast message reception statistics. The statistical model is then provided to the nodes and an indication that a network attack was detected by a particular node is received from the particular node.

Abstract translation: 在一个实施例中，训练请求被发送到网络中的多个节点，以使节点产生关于与节点相关联的单播和广播消息接收速率的统计。 从节点接收统计信息，并使用接收到的统计信息生成统计模型，并配置为通过比较单播和广播消息接收统计信息来检测网络攻击。 然后将统计模型提供给节点，并且从特定节点接收到特定节点检测到网络攻击的指示。

公开(公告)号：US20150193693A1

公开(公告)日：2015-07-09

申请号：US14164443

申请日：2014-01-27

Applicant: Cisco Technology, Inc.

Inventor： Jean-Philippe Vasseur ,  Andrea Di Pietro ,  Javier Cruz Mota

IPC: G06N99/00 ,  G06N3/08

CPC classification number: H04L63/1425 ,  G06N3/02 ,  G06N3/08 ,  G06N3/084 ,  G06N99/005 ,  H04L41/16 ,  H04L43/0876 ,  H04L45/48 ,  H04L47/127 ,  H04L47/2466 ,  H04L47/41

Abstract: In one embodiment, local model parameters are generated by training a machine learning model at a device in a computer network using a local data set. One or more other devices in the network are identified that have trained machine learning models using remote data sets that are similar to the local data set. The local model parameters are provided to the one or more other devices to cause the one or more other devices to generate performance metrics using the provided model parameters. Performance metrics for model parameters are received from the one or more other devices and a global set of model parameters is selected for the device and the one or more other devices using the received performance metrics.

Abstract translation: 在一个实施例中，通过使用本地数据集在计算机网络中的设备处训练机器学习模型来生成本地模型参数。 识别网络中的一个或多个其他设备，其使用与本地数据集相似的远程数据集来训练机器学习模型。 将本地模型参数提供给一个或多个其他设备以使得一个或多个其他设备使用所提供的模型参数来生成性能度量。 从一个或多个其他设备接收模型参数的性能度量，并且使用所接收的性能度量为设备和一个或多个其他设备选择一组全局模型参数。