Abstract: In one embodiment, a network assurance service uses a first machine-learning based model that is locally deployed to a network to assess a set of input features comprising measurements from the network. The service monitors, locally in the network, performance of the first machine learning-based model. The service determines that the monitored performance of the first machine learning-based model does not meet one or more performance requirements associated with the network. The service selects a second machine learning-based model for deployment to the network, based on the one or more performance requirements associated with the network and on the set of input features of the first machine learning-based model. The service deploys the selected second machine learning-based model to the network as a replacement for the first machine learning-based model.

Abstract: In one embodiment, a network assurance service executing in a local network clusters measurements obtained from the local network regarding a plurality of devices in the local network into measurement clusters. The network assurance service computes aggregated metrics for each of the measurement clusters. The network assurance service sends a machine learning model computation request to a remote service outside of the local network that includes the aggregated metrics for each of the measurement clusters. The remote service uses the aggregated metrics to train a machine learning-based model to analyze the local network. The network assurance service receives the trained machine learning-based model to analyze performance of the local network. The network assurance service uses the receive machine learning-based model to analyze performance of the local network.

Abstract: In one embodiment, a node in a network detects an anomaly in the network based on a result of a machine learning-based anomaly detector analyzing network traffic. The node determines a packet capture policy for the anomaly by applying a machine learning-based classifier to the result of the anomaly detector. The node selects a set of packets from the analyzed traffic based on the packet capture policy. The node stores the selected set of packets for the detected anomaly.

Abstract: In one embodiment, a network assurance service that monitors a plurality of networks subdivides telemetry data regarding devices located in the networks into subsets, wherein each subset is associated with a device type, time period, metric type, and network. The service summarizes each subset by computing distribution percentiles of metric values in the subset. The service identifies an outlier subset by comparing distribution percentiles that summarize the subsets. The service reports insight data regarding the outlier subset to a user interface. The service adjusts the subsets based in part on feedback regarding the insight data from the user interface.

Abstract: In one embodiment, a device receives health status data indicative of a health status of a data source in a network that provides collected telemetry data from the network for analysis by a machine learning-based network analyzer. The device maintains a performance model for the data source that models the health of the data source. The device computes a trustworthiness index for the telemetry data provided by the data source based on the received health status data and the performance model for the data source. The device adjusts, based on the computed trustworthiness index for the telemetry data provided by the data source, one or more parameters used by the machine learning-based network analyzer to analyze the telemetry data provided by the data source.

Abstract: In one embodiment, possible voting nodes in a network are identified. The possible voting nodes each execute a classifier that is configured to select a label from among a plurality of labels based on a set of input features. A set of one or more eligible voting nodes is selected from among the possible voting nodes based on a network policy. Voting requests are then provided to the one or more eligible voting nodes that cause the one or more eligible voting nodes to select labels from among the plurality of labels. Votes are received from the eligible voting nodes that include the selected labels and are used to determine a voting result.

Abstract: In one embodiment, a local service of a network reports configuration information regarding the network to a cloud-based network assurance service. The local service receives a classifier selected by the cloud-based network assurance service based on the configuration information regarding the network. The local service classifies, using the received classifier, telemetry data collected from the network, to select a modeling strategy for the network. The local service installs, based on the modeling strategy for the network, a machine learning-based model to the local service for monitoring the network.

Abstract: In one embodiment, a device evaluates a set of training data for a machine learning model to identify a missing feature subset in a feature space of the set of training data. The device identifies a plurality of network nodes eligible to initiate an attack on a network to generate the missing feature subset. One or more attack nodes are selected from among the plurality of network nodes. An attack routine is provided to the one or more attack nodes to cause the one or more attack nodes to initiate the attack. An indication that the attack has completed is then received from the one or more attack nodes.

Abstract: In one embodiment, a network assurance service receives, from a reporting entity, data regarding a monitored network for input to a machine learning-based analyzer of the network assurance service. The service forms a reporting entity model of the reporting entity, based on at least a portion of the data received from the reporting entity. The service identifies a behavioral change of the reporting entity by comparing a sample of the data received from the reporting entity to the reporting entity model. The service correlates the behavioral change of the reporting entity to a change made to the reporting entity. The service causes performance of a mitigation action, to prevent the behavioral change from affecting operation of the machine learning-based analyzer.

Abstract: In one embodiment, a network assurance service receives data regarding a monitored network. The service analyzes the received data using a machine learning-based model, to perform a network assurance function for the monitored network. The service determines that performance of the model is negatively affected by a sample rate of the received data. The service adjusts the sample rate of the data, based on the determination that the performance of the model is negatively affected by the sample rate of the received data.

Abstract: In one embodiment, a device in a network receives, from a supervisory device, trace information for one or more traffic flows associated with a particular anomaly. The device remaps network addresses in the trace information to addresses of one or more nodes in the network based on roles of the one or more nodes. The device mixes, using the remapped network addresses, the trace information with traffic information regarding one or more observed traffic flows in the network, to form a set of mixed traffic information. The device analyzes the mixed traffic information using an anomaly detection model. The device provides an indication of a result of the analysis of the mixed traffic information to the supervisory device.

Abstract: In one embodiment, a networking device in a network causes formation of device clusters of devices in the network. The devices in a particular cluster exhibit similar characteristics. The networking device receives feedback from a device identity service regarding the device clusters. The feedback is based in part on the device identity service probing the devices. The networking device adjusts the device clusters based on the feedback from the device identity service. The networking device performs anomaly detection in the network using the adjusted device clusters.

Abstract: In one embodiment, a traffic model manager node receives data flows in a network and determines a degree to which the received data flows conform to one or more traffic models classifying particular types of data flows as non-malicious. If the degree to which the received data flows conform to the one or more traffic models is sufficient, the traffic model manager node characterizes the received data flows as non-malicious. Otherwise, the traffic model manager node provides the received data flows to a denial of service (DoS) attack detector in the network to allow the received data flows to be scanned for potential attacks.

Abstract: In one embodiment, a supervisory device in a network receives traffic data from a security device that uses traffic signatures to assess traffic in the network. The supervisory device receives traffic data from one or more distributed learning agents that use machine learning-based anomaly detection to assess traffic in the network. The supervisory device trains a traffic classifier using the received traffic data from the security device and from the one or more distributed learning agents. The supervisory device deploys the traffic classifier to a selected one of the one or more distributed learning agents.

Abstract: In one embodiment, a device receives health status data indicative of a health status of a data source in a network that provides collected telemetry data from the network for analysis by a machine learning-based network analyzer. The device maintains a performance model for the data source that models the health of the data source. The device computes a trustworthiness index for the telemetry data provided by the data source based on the received health status data and the performance model for the data source. The device adjusts, based on the computed trustworthiness index for the telemetry data provided by the data source, one or more parameters used by the machine learning-based network analyzer to analyze the telemetry data provided by the data source.

Abstract: In one embodiment, a device identifies a new data source of characteristics data for a monitored network. The device initiates a quarantine period for the characteristic data from the new data source. The characteristic data from the new data source is quarantined from input to a machine learning-based analyzer during the quarantine period. The device models the characteristic data from the new data source during the quarantine period, to determine whether the characteristic data from the new data source is reliable for input to the machine learning-based analyzer. After the quarantine period, the device provides the characteristic data from the new data source to the machine learning-based analyzer based on a determination that the characteristic data from the new data source is reliable.

Abstract: In one embodiment, attack detectability metrics are received from nodes along a path in a network. The attack detectability metrics from the nodes along the path are used to compute a path attack detectability value. A determination is made as to whether the path attack detectability value satisfies a network policy and one or more routing paths in the network are adjusted based on the path attack detectability value not satisfying the network policy.

Abstract: In one embodiment, a first device in a network identifies a first traffic flow between two endpoints that traverses the first device in a first direction. The first device receives information from a second device in the network regarding a second traffic flow between the two endpoints that traverses the second device in a second direction that is opposite that of the first direction. The first device merges characteristics of the first traffic flow captured by the first device with characteristics of the second traffic flow captured by the second device and included in the information received from the second device, to form an input feature set. The first device detects an anomaly in the network by analyzing the input feature set using a machine learning-based anomaly detector.

Abstract: In one embodiment, a traffic model manager node receives data flows in a network and determines a degree to which the received data flows conform to one or more traffic models classifying particular types of data flows as non-malicious. If the degree to which the received data flows conform to the one or more traffic models is sufficient, the traffic model manager node characterizes the received data flows as non-malicious. Otherwise, the traffic model manager node provides the received data flows to a denial of service (DoS) attack detector in the network to allow the received data flows to be scanned for potential attacks.

Abstract: In one embodiment, a device in a network captures a first set of packets based on first packet capture criterion. The captured first set of packets is provided for deep packet inspection and anomaly detection. The device receives a second packet capture criterion that differs from the first packet capture criterion. The device captures a second set of packets based on the second packet capture criterion. The device provides the captured second set of packets for deep packet inspection and anomaly detection. The anomaly detection of the captured first and second sets of packets is performed by a machine learning-based anomaly detector configured to generate anomaly detection results based in part on one or more traffic metrics gathered from the network and based further in part on deep packet inspection results of packets captured in the network.