Abstract: In one embodiment, a first network device receives a notification that the first network device has been selected to validate a machine learning model for a second network device. The first network device receives model parameters for the machine learning model that were generated by the second network device using training data on the second network device. The model parameters are used with local data on the first network device to determine performance metrics for the model parameters. The performance metrics are then provided to the second network device.

Abstract: In one embodiment, a first data set is received by a network device that is indicative of the statuses of a plurality of network devices when a type of network attack is not present. A second data set is also received that is indicative of the statuses of the plurality of network devices when the type of network attack is present. At least one of the plurality simulates the type of network attack by operating as an attacking node. A machine learning model is trained using the first and second data set to identify the type of network attack. A real network attack is then identified using the trained machine learning model.

Abstract: In one embodiment, a training request is sent to a plurality of nodes in a network to cause the nodes to generate statistics regarding unicast and broadcast message reception rates associated with the nodes. The statistics are received from the nodes and a statistical model is generated using the received statistics and is configured to detect a network attack by comparing unicast and broadcast message reception statistics. The statistical model is then provided to the nodes and an indication that a network attack was detected by a particular node is received from the particular node.

Abstract: In one embodiment, local model parameters are generated by training a machine learning model at a device in a computer network using a local data set. One or more other devices in the network are identified that have trained machine learning models using remote data sets that are similar to the local data set. The local model parameters are provided to the one or more other devices to cause the one or more other devices to generate performance metrics using the provided model parameters. Performance metrics for model parameters are received from the one or more other devices and a global set of model parameters is selected for the device and the one or more other devices using the received performance metrics.

Abstract: In one embodiment, techniques are shown and described relating to a distributed approach for feature modeling on an LLN using principal component analysis. In one specific embodiment, a computer network has a plurality of nodes and a router. The router is configured to select one or more nodes of the plurality of nodes that will collaborate with the router for collectively computing a model of respective features for input to a Principal Component Analysis (PCA) model. In addition, the selected one or more nodes and the router are configured to perform a distributed computation of a PCA model between the router and the selected one or more nodes.

Abstract: In one embodiment, techniques are shown and described relating to quarantine-based mitigation of effects of a local DoS attack. A management device may receive data indicating that one or more nodes in a shared-media communication network are under attack by an attacking node. The management device may then communicate a quarantine request packet to the one or more nodes under attack, the quarantine request packet providing instructions to the one or more nodes under attack to alter their frequency hopping schedule without allowing the attacking node to learn of the altered frequency hopping schedule.

Abstract: In one embodiment, a control loop control using a broadcast channel may be used to communicate with a node under attack. A management device may receive data indicating that one or more nodes in a computer network are under attack. The management device may then determine that one or more intermediate nodes are in proximity to the one or more nodes under attack, and communicate an attack-mitigation packet to the one or more nodes under attack by using the one or more intermediate nodes to relay the attack-mitigation packet to the one or more nodes under attack.

Abstract: In one embodiment, techniques are shown and described relating to attack mitigation using learning machines. A node may receive network traffic data for a computer network, and then predict a probability that one or more nodes are under attack based on the network traffic data. The node may then decide to mitigate a predicted attack by instructing nodes to forward network traffic on an alternative route without altering an existing routing topology of the computer network to reroute network communication around the one or more nodes under attack, and in response, the node may communicate an attack notification message to the one or more nodes under attack.

Abstract: A method for monitoring a network, wherein the network has a connected graph topology, in particular a tree structure, including a plurality of monitoring nodes that collect network measurement data, a plurality of mediator nodes each performing at least the task of aggregating network measurement data received from different monitoring nodes and/or other mediator nodes, and at least one root entity that receives network measurement data and/or aggregated network measurement data from the mediator nodes, is characterized in that the aggregation of network measurement data is performed by condensing network measurement data into a summarized probabilistic data structure. Furthermore, a network including a monitoring functionality is disclosed.

Abstract: A method for probabilistic processing of data, wherein the data is provided in form of a data set S composed of multidimensional n-tuples of the form (x1, . . . , xn), is characterized in that an n-dimensional data structure is generated by way of providing a bit matrix, providing a number K of independent hash functions Hk that are employed in order to address the bits in the matrix, and inserting the n-tuples (x1, . . . , xn) into the bit matrix by computing the hash values Hk(x) for all values x of the n-tuple for each of the number K of independent hash functions Hk, and by setting the resulting bits [Hk(x1), . . . , Hk(xn)] of the matrix. Furthermore, a respective system is disclosed.

Abstract: A method for monitoring a network, wherein the network has a connected graph topology, in particular a tree structure, including a plurality of monitoring nodes that collect network measurement data, a plurality of mediator nodes each performing at least the task of aggregating network measurement data received from different monitoring nodes and/or other mediator nodes, and at least one root entity that receives network measurement data and/or aggregated network measurement data from the mediator nodes, is characterized in that the aggregation of network measurement data is performed by condensing network measurement data into a summarized probabilistic data structure. Furthermore, a network including a monitoring functionality is disclosed.

Abstract: For providing a simple monitoring mechanism with reduced resource and performance requirements a method for monitoring traffic in a network is claimed, wherein a monitoring activity of at least two monitoring probes of the network is coordinated by a coordinating element, wherein at least two nodes of the network are able to operate as coordinating elements and wherein the responsibility for coordinating the monitoring activity of the monitoring probes is split between the nodes according to a compressed representation of flow parameter keys. Further, an according network is described, preferably for carrying out the above mentioned method.