Abstract: In various embodiments, a device classification service clusters devices in a network into a device type cluster based on attributes associated with the devices. The device classification service tracks changes to the device type cluster over time. The device classification service detects an attack on the device classification service by one or more of the devices based on the tracked changes to the device type cluster. The device classification service initiates a mitigation action for the detected attack on the device classification service.

Abstract: In various embodiments, a device classification service obtains traffic telemetry data for a plurality of devices in a network. The service applies clustering to the traffic telemetry data, to form device clusters. The service generates a device classification rule based on a particular one of the device clusters. The service receives feedback from a user interface regarding the device classification rule. The service adjusts the device classification rule based on the received feedback.

Abstract: In various embodiments, a device classification service makes a determination that an endpoint device in a network is eligible for expedited device classification based on a policy. The device classification service obtains, after making the determination that the endpoint device in the network is eligible for expedited device classification, telemetry data regarding the endpoint device generated by actively probing the endpoint device. The device classification service determines whether the telemetry data regarding the endpoint device matches any existing device classification rules. The device classification service generates, based on the telemetry data, a device classification rule that assigns a device type to the endpoint device, when the telemetry data does not match any existing device classification rules.

Abstract: In one embodiment, a device deploys a first machine learning model to an inference location in a network. The first machine learning model is used at the inference location to make inferences about the network. The device receives, from the inference location, an indication that the first machine learning model is exhibiting poor performance. The device identifies a corrective measure for the poor performance that minimizes resource consumption by a model training pipeline of the device. The device deploys, based on the corrective measure, a second machine learning model to the inference location. The second machine learning model is used in lieu of the first machine learning model to make the inferences about the network.

Abstract: In various embodiments, a device obtains a set of device classification rules. Each device classification rule specifies one or more attributes from a set of attributes and being configured to assign a device type to an endpoint in a network when the endpoint exhibits the one or more attributes specified by that rule. The device forms a graphical representation of the set of attributes. The device performs an analysis of the graphical representation of the set of attributes. The device provides a result of the analysis to a user interface.

Abstract: In various embodiments, a device classification service obtains device telemetry data indicative of declarative attributes of a device in a network and indicative of behavioral attributes of that device. The device classification service labels the device with a device type, based on the device telemetry data. The device classification service detects device type spoofing exhibited by the device using a model that models a relationship between the declarative attributes and the behavioral attributes. The device classification service initiates, based on the device type spoofing, a mitigation action regarding the device.

Abstract: In various embodiments, a device classification service uses an initial device classification rule to label each of a set of endpoint devices in a network as being of a particular device type. The device classification service identifies a particular attribute exhibited by at least a portion of the set of endpoint devices and was not previously used to generate the initial device classification rule. The device classification service generates one or more new device classification rules based in part on the particular attribute. The device classification service switches from using the initial device classification rule to label endpoint devices in the network to using the one or more new device classification rules to label endpoint devices in the network.

Abstract: In one embodiment, a device constructs a set of controlled what-if input parameters for evaluating a what-if scenario in a network. The device uses the set of controlled what-if input parameters and state data indicative of a current state of the network as input to a network state model. The network state model predicts values for the state data conditioned on the what-if input parameters. The device predicts a key performance indicator (KPI) in the network by using the predicted values for the state data from the network state model as input to a machine learning-based KPI prediction model. The device initiates a routing change in the network based in part on the predicted KPI.

Abstract: In various embodiments, a device classification service obtains data indicative of device attributes of a plurality of devices. The device classification service forms, based on the obtained data indicative of the device attributes, a concept graph that comprises nodes that represent different sets of the device attributes. The device classification service determines, by analyzing the concept graph, a relevance score for each of the device attributes that quantifies how relevant that attribute is to classifying a device by its device type. The device classification service uses the relevance scores for the device attributes to cluster the plurality of devices into device type clusters by their device attributes.

Abstract: In various embodiments, a device classification service clusters devices in a network into a device type cluster based on attributes associated with the devices. The device classification service tracks changes to the device type cluster over time. The device classification service detects an attack on the device classification service by one or more of the devices based on the tracked changes to the device type cluster. The device classification service initiates a mitigation action for the detected attack on the device classification service.

Abstract: In one embodiment, a service receives telemetry data indicative of a plurality of performance metrics captured in a network. The service jointly trains, using the received telemetry data, a compression model and an inference model, the compression model being a first machine learning model trained to convert the telemetry data into a compressed representation of the telemetry data and the inference model being a second machine learning model trained to take the compressed representation of the telemetry data as input and apply a classification label to it. The service deploys the compression model to the network. The service receives compressed telemetry data generated by the compression model deployed to the network. The service uses the inference model to classify the compressed telemetry data generated by the compression model deployed to the network.

Abstract: In one embodiment, a device clusters traffic feature vectors for a plurality of endpoints in a network into a set of clusters. Each traffic feature vector comprises traffic telemetry data captured for one of the endpoints. The device selects one of the clusters for labeling, based in part on contextual data associated with the clusters that was not used to form the clusters. The device obtains a device type label for the selected cluster by providing data regarding the selected cluster and the contextual data associated with that cluster to a user interface. The device provides the device type label and the traffic feature vectors associated with the selected cluster for training a machine learning-based device type classifier.

Abstract: In various embodiments, a device classification service receives, from a networking device in a network, an indication that deep packet inspection (DPI) trace data is not available for an endpoint device in the network because the endpoint device does not match any DPI policies of the networking device. The service configures a first DPI policy on the networking device that causes it to capture a DPI trace of traffic associated with the endpoint device. The service receives, via a user interface, an indication that a subset of attributes of the endpoint device in the DPI trace is relevant to labeling the endpoint device with a device type. The service replaces the first DPI policy on the networking device with a second DPI policy that causes it to report only the subset of attributes of endpoint devices to the device classification service for endpoint devices that match the second DPI policy.

Abstract: In various embodiments, a device classification service forms a device cluster by applying clustering to attributes of endpoint devices observed in one or more networks. The device classification service applies an initial device classification rule to the endpoint devices in the device cluster, based on one or more of the endpoint devices in the device cluster matching the initial device classification rule. The device classification service computes metrics for the initial device classification rule that quantify how well the attributes of the endpoint devices in the device cluster match the initial device classification rule. The device classification service decides, based on the metrics, whether to associate the initial device classification rule with the device cluster or generate a new device classification rule based on the device cluster.

Abstract: In various embodiments, a device classification service obtains traffic telemetry data for a plurality of devices in a network. The service applies clustering to the traffic telemetry data, to form device clusters. The service generates a device classification rule based on a particular one of the device clusters. The service receives feedback from a user interface regarding the device classification rule. The service adjusts the device classification rule based on the received feedback.

Abstract: Application performance can be simulated based on captured application-specific traffic flows through a managed network. Traffic flows may be captured across the managed network and associated with a particular application. The captured flows can be used to generate trend lines and models. The generated trend lines and models may be used to simulate application performance responsive to changes in network characteristics and provided to a user through a graphical user interface as a graph. The user may then adjust simulated network characteristics through the graphical user interface to perform various hypothetical network simulations.

Abstract: In various embodiments, a device classification service obtains traffic telemetry data for a plurality of devices in a network. The service applies clustering to the traffic telemetry data, to form device clusters. The service generates a device classification rule based on a particular one of the device clusters. The service receives feedback from a user interface regarding the device classification rule. The service adjusts the device classification rule based on the received feedback.

Abstract: In various embodiments, a device classification service obtains traffic telemetry data for a plurality of devices in a network. The service applies clustering to the traffic telemetry data, to form device clusters. The service generates a device classification rule based on a particular one of the device clusters. The service receives feedback from a user interface regarding the device classification rule. The service adjusts the device classification rule based on the received feedback.

Abstract: In one embodiment, a device constructs a set of controlled what-if input parameters for evaluating a what-if scenario in a network. The device uses the set of controlled what-if input parameters and state data indicative of a current state of the network as input to a network state model. The network state model predicts values for the state data conditioned on the what-if input parameters. The device predicts a key performance indicator (KPI) in the network by using the predicted values for the state data from the network state model as input to a machine learning-based KPI prediction model. The device initiates a routing change in the network based in part on the predicted KPI.

Abstract: In one embodiment, a device classification service receives telemetry data indicative of behavioral characteristics of a plurality of devices in a network. The service obtains side information for the telemetry data. The service applies metric learning to the telemetry data and side information, to construct a distance function. The service uses the distance function to cluster the telemetry data into device clusters. The service associates a device type label with a particular device cluster.