Patents by Inventor Andrea Di Pietro

Andrea Di Pietro has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Publication number: 20170279835
    Abstract: In one embodiment, a node in a network detects an anomaly in the network based on a result of a machine learning-based anomaly detector analyzing network traffic. The node determines a packet capture policy for the anomaly by applying a machine learning-based classifier to the result of the anomaly detector. The node selects a set of packets from the analyzed traffic based on the packet capture policy. The node stores the selected set of packets for the detected anomaly.
    Type: Application
    Filed: July 15, 2016
    Publication date: September 28, 2017
    Inventors: Andrea Di Pietro, Jean-Philippe Vasseur, Sukrit Dasgupta
  • Publication number: 20170279831
    Abstract: In one embodiment, a device in a network identifies a universal resource locator (URL) from traffic destined for the URL that triggered a first anomaly detected by an anomaly detector. The device reports the first anomaly and the identified URL to a supervisory device in the network. The device receives a URL filter rule for the URL. The URL filter rule is configured to affect anomaly scores generated by the anomaly detector for traffic destined for the URL or a domain associated with the URL. The device uses the URL filter rule to adjust an anomaly score for a second anomaly detected by the anomaly detector based on the second anomaly involving traffic destined for the URL or the domain associated with the URL.
    Type: Application
    Filed: June 14, 2016
    Publication date: September 28, 2017
    Inventors: Andrea Di Pietro, Jean-Philippe Vasseur, Sukrit Dasgupta
  • Publication number: 20170279832
    Abstract: In one embodiment, a device in a network receives, from a supervisory device, trace information for one or more traffic flows associated with a particular anomaly. The device remaps network addresses in the trace information to addresses of one or more nodes in the network based on roles of the one or more nodes. The device mixes, using the remapped network addresses, the trace information with traffic information regarding one or more observed traffic flows in the network, to form a set of mixed traffic information. The device analyzes the mixed traffic information using an anomaly detection model. The device provides an indication of a result of the analysis of the mixed traffic information to the supervisory device.
    Type: Application
    Filed: June 16, 2016
    Publication date: September 28, 2017
    Inventors: Andrea Di Pietro, Jean-Philippe Vasseur
  • Patent number: 9705914
    Abstract: In one embodiment, a device in a network generates an expected traffic model based on a training set of data used to train a machine learning attack detector. The device provides the expected traffic model to one or more nodes in the network. The device receives an unexpected behavior notification from a particular node of the one or more nodes. The particular node generates the unexpected behavior notification based on a comparison between the expected traffic model and an observed traffic behavior by the node. The particular node also prevents the machine learning attack detector from analyzing the observed traffic behavior. The device updates the machine learning attack detector to account for the observed traffic behavior.
    Type: Grant
    Filed: July 23, 2014
    Date of Patent: July 11, 2017
    Assignee: Cisco Technology, Inc.
    Inventors: Andrea Di Pietro, Jean-Philippe Vasseur, Javier Cruz Mota
  • Patent number: 9686312
    Abstract: In one embodiment, a device receives a classifier tracking request from a coordinator device that specifies a classifier verification time period. During the classifier verification time period, the device classifies a set of network traffic that includes traffic observed by the device and attack traffic specified by the coordinator device. The device generates classification results based on the classified set of network traffic and provides the classification results to the coordinator device.
    Type: Grant
    Filed: July 23, 2014
    Date of Patent: June 20, 2017
    Assignee: Cisco Technology, Inc.
    Inventors: Andrea Di Pietro, Jean-Philippe Vasseur, Javier Cruz Mota
  • Patent number: 9674207
    Abstract: In one embodiment, a device in a network identifies a set of traffic flow records that triggered an attack detector. The device selects a subset of the traffic flow records and calculates aggregated metrics for the subset. The device provides the aggregated metrics for the subset to the attack detector to generate an attack detection determination for the subset of traffic flow records. The device identifies one or more attack traffic flows from the set of traffic flow records based on the attack detection determination for the subset of traffic flow records.
    Type: Grant
    Filed: July 23, 2014
    Date of Patent: June 6, 2017
    Assignee: Cisco Technology, Inc.
    Inventors: Andrea Di Pietro, Jean-Philippe Vasseur, Javier Cruz Mota
  • Patent number: 9641542
    Abstract: In one embodiment, a device in a network receives information regarding one or more attack detection service level agreements. The device identifies a set of attack detection classifiers as potential voters in a voting mechanism used to detect a network attack. The device determines one or more parameters for the voting mechanism based on the information regarding the one or more attack detection service level agreements. The device adjusts the voting mechanism used by the potential voters based on the one or more parameters for the voting mechanism.
    Type: Grant
    Filed: July 21, 2014
    Date of Patent: May 2, 2017
    Assignee: Cisco Technology, Inc.
    Inventors: Jean-Philippe Vasseur, Andrea Di Pietro, Javier Cruz Mota
  • Patent number: 9635050
    Abstract: In one embodiment, data flows are received in a network, and information relating to the received data flows is provided to a machine learning attack detector. Then, in response to receiving an attack detection indication from the machine teaming attack detector, a traffic segregation procedure is performed including: computing an anomaly score for each of the received data flows based on a degree of divergence from an expected traffic model, determining a subset of the received data flows that have an anomaly score that is lower than or equal to an anomaly threshold value, and providing information relating to the subset of the received data flows to the machine learning attack detector.
    Type: Grant
    Filed: July 23, 2014
    Date of Patent: April 25, 2017
    Assignee: Cisco Technology, Inc.
    Inventors: Andrea Di Pietro, Jean-Philippe Vasseur, Javier Cruz Mota
  • Publication number: 20170103213
    Abstract: In one embodiment, a device receives a classifier tracking request from a coordinator device that specifies a classifier verification time period. During the classifier verification time period, the device classifies a set of network traffic that includes traffic observed by the device and attack traffic specified by the coordinator device. The device generates classification results based on the classified set of network traffic and provides the classification results to the coordinator device.
    Type: Application
    Filed: December 21, 2016
    Publication date: April 13, 2017
    Inventors: Andrea Di Pietro, Jean-Philippe Vasseur, Javier Cruz Mota
  • Publication number: 20170099309
    Abstract: In one embodiment, a device in a network analyzes data regarding a detected anomaly in the network. The device determines whether the detected anomaly is a false positive. The device generates a white label for the detected anomaly based on a determination that the detected anomaly is a false positive. The device causes one or more alerts regarding the detected anomaly to be suppressed using the generated white label for the anomaly.
    Type: Application
    Filed: October 5, 2015
    Publication date: April 6, 2017
    Inventors: Andrea Di Pietro, Jean-Philippe Vasseur, Javier Cruz Mota
  • Publication number: 20170099310
    Abstract: In one embodiment, a device in a network captures a first set of packets based on first packet capture criterion. The captured first set of packets is provided for deep packet inspection and anomaly detection. The device receives a second packet capture criterion that differs from the first packet capture criterion. The device captures a second set of packets based on the second packet capture criterion. The device provides the captured second set of packets for deep packet inspection and anomaly detection. The anomaly detection of the captured first and second sets of packets is performed by a machine learning-based anomaly detector configured to generate anomaly detection results based in part on one or more traffic metrics gathered from the network and based further in part on deep packet inspection results of packets captured in the network.
    Type: Application
    Filed: October 5, 2015
    Publication date: April 6, 2017
    Inventors: Andrea Di Pietro, Jean-Philippe Vasseur, Javier Cruz Mota
  • Patent number: 9563854
    Abstract: In one embodiment, a device determines that a machine learning model is to be trained by a plurality of devices in a network. A set of training devices are identified from among the plurality of devices to train the model, with each of the training devices having a local set of training data. An instruction is then sent to each of the training devices that is configured to cause a training device to receive model parameters from a first training device in the set, use the parameters with at least a portion of the local set of training data to generate new model parameters, and forward the new model parameters to a second training device in the set. Model parameters from the training devices are also received that have been trained using a global set of training data that includes the local sets of training data on the training devices.
    Type: Grant
    Filed: January 27, 2014
    Date of Patent: February 7, 2017
    Assignee: Cisco Technology, Inc.
    Inventors: Javier Cruz Mota, Jean-Philippe Vasseur, Andrea Di Pietro
  • Patent number: 9559918
    Abstract: In one embodiment, attack observations by a first node are provided to a user interface device regarding an attack detected by the node. Input from the user interface device is received that confirms that a particular attack observation by the first node indicates that the attack was detected correctly by the first node. Attack observations by one or more other nodes are provided to the user interface device. Input is received from the user interface device that confirms whether the attack observations by the first node and the attack observations by the one or more other nodes are both related to the attack. The one or more other nodes are identified as potential voters for the first node in a voting-based attack detection mechanism based on the attack observations from the first node and the one or more other nodes being related.
    Type: Grant
    Filed: May 15, 2014
    Date of Patent: January 31, 2017
    Assignee: Cisco Technology, Inc.
    Inventors: Andrea Di Pietro, Jean-Philippe Vasseur, Javier Cruz Mota
  • Patent number: 9521158
    Abstract: In one embodiment, a device determines that input data to a machine learning model sent from a plurality of source nodes to an aggregation node is causing network congestion. A set of one or more other nodes to perform aggregation of the machine learning model input data is selected. A type of aggregation to be performed by the set of one or more other nodes is also selected. The set of one or more other nodes is also instructed to perform the selected type of aggregation on the data sent from the source nodes.
    Type: Grant
    Filed: January 27, 2014
    Date of Patent: December 13, 2016
    Assignee: Cisco Technology, Inc.
    Inventors: Andrea Di Pietro, Jean-Philippe Vasseur, Javier Cruz Mota
  • Patent number: 9503466
    Abstract: In one embodiment, a first network device receives a notification that the first network device has been selected to validate a machine learning model for a second network device. The first network device receives model parameters for the machine learning model that were generated by the second network device using training data on the second network device. The model parameters are used with local data on the first network device to determine performance metrics for the model parameters. The performance metrics are then provided to the second network device.
    Type: Grant
    Filed: January 27, 2014
    Date of Patent: November 22, 2016
    Assignee: Cisco Technology, Inc.
    Inventors: Jean-Philippe Vasseur, Javier Cruz Mota, Andrea Di Pietro
  • Patent number: 9497215
    Abstract: In one embodiment, attack traffic corresponding to a detected DoS attack from one or more attacker nodes is received at a denial of service (DoS) attack management node in a network. The DoS attack management node determines attack information relating to the attack traffic, including a type of the DoS attack and an intended target of the DoS attack. Then, the DoS attack management node triggers an attack mimicking action based on the attack information, where the attack mimicking action mimics a behavior of the intended target of the DoS attack that would be expected by the one or more attacker nodes if the DoS attack were successful.
    Type: Grant
    Filed: July 23, 2014
    Date of Patent: November 15, 2016
    Assignee: Cisco Technology, Inc.
    Inventors: Jean-Philippe Vasseur, Andrea Di Pietro, Javier Cruz Mota
  • Patent number: 9450978
    Abstract: In one embodiment, network data is received at a first node in a computer network. A low precision machine learning model is used on the network data to detect a network event. A notification is then sent to a second node in the computer network that the network event was detected, to cause the second node to use a high precision machine learning model to validate the detected network event.
    Type: Grant
    Filed: January 27, 2014
    Date of Patent: September 20, 2016
    Assignee: Cisco Technology, Inc.
    Inventors: Jean-Philippe Vasseur, Javier Cruz Mota, Andrea Di Pietro
  • Patent number: 9450972
    Abstract: In one embodiment, a device in a network receives a set of output label dependencies for a set of attack detectors. The device identifies applied labels that were applied by the attack detectors to input data regarding a network, the applied labels being associated with probabilities. The device determines a combined probability for two or more of the applied labels based on the output label dependencies and the probabilities associated with the two or more labels. The device selects one of the applied labels as a finalized label for the input data based on the probabilities associated with the applied labels and on the combined probability for the two or more labels.
    Type: Grant
    Filed: July 23, 2014
    Date of Patent: September 20, 2016
    Assignee: Cisco Technology, Inc.
    Inventors: Javier Cruz Mota, Andrea Di Pietro, Jean-Philippe Vasseur
  • Patent number: 9411916
    Abstract: In one embodiment, techniques are shown and described relating to a distributed approach for feature modeling on an LLN using principal component analysis. In one specific embodiment, a computer network has a plurality of nodes and a router. The router is configured to select one or more nodes of the plurality of nodes that will collaborate with the router for collectively computing a model of respective features for input to a Principal Component Analysis (PCA) model. In addition, the selected one or more nodes and the router are configured to perform a distributed computation of a PCA model between the router and the selected one or more nodes.
    Type: Grant
    Filed: January 27, 2014
    Date of Patent: August 9, 2016
    Assignee: Cisco Technology, Inc.
    Inventors: Javier Cruz Mota, Jean-Philippe Vasseur, Andrea Di Pietro
  • Patent number: 9413779
    Abstract: In one embodiment, local model parameters are generated by training a machine learning model at a device in a computer network using a local data set. One or more other devices in the network are identified that have trained machine learning models using remote data sets that are similar to the local data set. The local model parameters are provided to the one or more other devices to cause the one or more other devices to generate performance metrics using the provided model parameters. Performance metrics for model parameters are received from the one or more other devices and a global set of model parameters is selected for the device and the one or more other devices using the received performance metrics.
    Type: Grant
    Filed: January 27, 2014
    Date of Patent: August 9, 2016
    Assignee: Cisco Technology, Inc.
    Inventors: Jean-Philippe Vasseur, Andrea Di Pietro, Javier Cruz Mota