Abstract: In one embodiment, a device predicts a failure of a first tunnel in a software-defined wide area network (SD-WAN). The device makes a prediction as to whether a second tunnel in the SD-WAN will satisfy a service level agreement (SLA) associated with traffic on the first tunnel. The device proactively reroutes the traffic from the first tunnel onto the second tunnel, based on the prediction as to whether that the second tunnel will satisfy the SLA of the traffic. The device monitors one or more quality of service (QoS) metrics for the rerouted traffic, to ensure that the second tunnel satisfies the SLA of the traffic.

Abstract: In one embodiment, a device in a network obtains data indicative of a device classification rule, a device type label associated with the rule, and a set of positive and negative feature vectors used to create the rule. The device replaces similar feature vectors in the set of positive and negative feature vectors with a single feature vector, to form a reduced set of feature vectors. The device applies differential privacy to the reduced set of feature vectors. The device sends a digest to a cloud service. The digest comprises the device classification rule, the device type label, and the reduced set of feature vectors to which differential privacy was applied. The service uses the digest to train a machine learning-based device classifier.

Abstract: In one embodiment, a device classification service classifies a device in a network as being of a first device type. The service applies a first network policy that has an associated expiration timer to the device, based on its classification as being of the first device type. The service determines whether the device was reclassified as being of a different device type than that of the first device type before expiration of the expiration timer associated with the first network policy. The service applies a second network policy to the device, when the service determines that the device has not been reclassified as being of a different device type before expiration of the expiration timer associated with the first network policy.

Abstract: In one embodiment, a service receives a plurality of device type classification rules, each rule comprising a device type label and one or more device attributes used as criteria for application of the label to a device in a network. The service estimates, across a space of the device attributes, device densities of devices having device attributes at different points in that space. The service uses the estimated device densities to identify two or more of the device type classification rules as having overlapping device attributes. The service determines that the two or more device type classification rules are in conflict, based on the two or more rules having different device type labels. The service generates a rule conflict resolution that comprises one of the device type labels from the conflicting two or more device type classification rules.

Abstract: In one embodiment, a supervisory service for a software-defined wide area network (SD-WAN) tracks a performance metric for a tunnel in the SD-WAN. The supervisory service computes a cumulative distribution function (CDF) for the tracked performance metric. The service assesses curvature of the CDF for the tracked performance metric relative to a service level agreement (SLA) threshold of an application for that performance metric. The service controls assignment of traffic for the application to the tunnel, based on the assessed curvature of the CDF for the tracked performance metric relative to the SLA threshold of the application for that performance metric.

Abstract: In one embodiment, a device classification service forms a device cluster by applying clustering to telemetry data associated with a plurality of devices. The service obtains device type labels for the device cluster. The service generates a device type classification rule using the device type labels and the telemetry data. The service determines whether the device type classification rule should be revalidated by applying a revalidation policy to the device type classification rule. The service revalidates the device type classification rule, based on a determination that the device type classification rule should be revalidated.

Abstract: In one embodiment, a supervisory service for one or more networks receives telemetry data samples from a plurality of networking devices in the one or more networks. The service trains a failure prediction model to predict failures in the one or more networks, using a training dataset comprising the received telemetry data samples. The service assesses performance of the failure prediction model. The service trains, based on the assessed performance of the failure prediction model, a machine learning-based classification model to determine whether a networking device should send a particular telemetry data sample to the service. The service sends the machine learning-based classifier to one or more of the plurality of networking devices, to control which telemetry data samples the one or more networking devices send to the supervisory service.

Abstract: In one embodiment, a device identifies one or more telemetry data variables for use to predict failure of a tunnel in a software-defined wide area network (SD-WAN). The device sends a Bidirectional Forwarding Detection (BFD)-based telemetry request towards a tail-end router of the tunnel that requests the one or more telemetry data variables. The device receives the requested one or more telemetry data variables. The device uses the received one or more telemetry data variables as input to a machine learning-based model, to predict a failure of the tunnel.

Abstract: In one embodiment, a device classification service assigns a set of endpoint devices to a context group. The device classification service forms a context summary feature vector for the context group that summarizes telemetry feature vectors for the endpoint devices assigned to the context group. Each telemetry feature vector is indicative of a plurality of traffic features observed for the endpoint devices. The device classification service normalizes a telemetry feature vector for a particular endpoint device using the context summary feature vector. The device classification service classifies, using the normalized telemetry feature vector for the particular endpoint device as input to a device type classifier, the particular endpoint device as being of a particular device type.

Abstract: In one embodiment, a supervisory service for a software-defined wide area network (SD-WAN) uses a plurality of different decision thresholds for a machine learning-based classifier, to predict tunnel failures of a tunnel in the SD-WAN. The supervisory service captures performance data indicative of performance of the classifier when using the different decision thresholds. The supervisory service selects, based on the captured performance data, a particular decision threshold for the classifier, in an attempt to optimize the performance of the classifier. The supervisory service uses the selected decision threshold for the classifier, to predict a tunnel failure of the tunnel.

Abstract: In one embodiment, a service maintains a database of media access control (MAC) addresses of devices in a network and their associated telemetry data captured from the network. The service identifies a new MAC address being used by a particular device in the network. The service matches telemetry data associated with the new MAC address with telemetry data in the database associated with another MAC address, by using the telemetry data associated with the new MAC address as input to a machine learning-based classifier. The service determines, based on the matching, that the MAC address in the database associated with the matched telemetry data has been updated to the new MAC address by the particular device.

Abstract: In one embodiment, a device classification service obtains telemetry data for a plurality of devices in a network. The device classification service repeatedly assigns the devices to device clusters by applying clustering to the obtained telemetry data. The device classification service determines a measure of stability loss associated with the cluster assignments. The measure of stability loss is based in part on whether a device is repeatedly assigned to the same device cluster. The device classification service determines, based on the measure of stability loss, that the cluster assignments have stabilized. The device classification service obtains device type labels for the device clusters, after determining that the cluster assignments have stabilized.

Abstract: In one embodiment, a device receives data regarding usage of access points in a network by a plurality of clients in the network. The device maintains an access point graph that represents the access points in the network as vertices of the access point graph. The device generates, for each of the plurality of clients, client trajectories as trajectory subgraphs of the access point graph. A particular client trajectory for a particular client comprises a set of edges between a subset of the vertices of the access point graph and represents transitions between access points in the network performed by the particular client. The device identifies a transition pattern from the client trajectories by deconstructing the trajectory subgraphs. The device uses the identified transition pattern to effect a configuration change in the network.

Abstract: In one embodiment, a supervisory service for a software-defined wide area network (SD-WAN) detects seasonal service level agreement (SLA) violations by one or more tunnels in the SD-WAN using a machine learning-based regression model. The service identifies a root cause of the seasonal SLA violations by determining whether the root cause of the seasonal SLA violations is associated with an internal network connected to the one or more tunnels. The service further identifies the root cause by determining whether the root cause of the seasonal SLA violations is associated with a particular service provider network over which the one or more tunnels traverse by associating the seasonal SLA violations with SLA violations by tunnels in other SD-WANs that also traverse the particular service provider network. The service initiates a corrective measure based on the determined root cause of the seasonal SLA violations by the one or more tunnels.

Abstract: In one embodiment, a supervisory service for a software-defined wide area network (SD-WAN) obtains telemetry data from one or more edge devices in the SD-WAN. The service trains, using the telemetry data as training data, a machine learning- based model to predict tunnel failures in the SD-WAN. The service receives feedback from the one or more edge devices regarding failure predictions made by the trained machine learning-based model. The service retrains the machine learning-based model, based on the received feedback.

Abstract: In one embodiment, a device obtains characteristics of a first anomaly detection model executed by a first distributed learning agent in a network. The device receives a query from a second distributed learning agent in the network that requests identification of a similar anomaly detection to that of a second anomaly detection model executed by the second distributed learning agent. The device identifies, after receiving the query from the second distributed learning agent, the first anomaly detection model as being similar to that of the second anomaly detection model, based on the characteristics of the first anomaly detection model. The device causes the first anomaly detection model to be sent to the second distributed learning agent for execution.

Abstract: In one embodiment, a network assurance service associates a target key performance indicator (tKPI) measured from a network with a plurality of causation key performance indicators (cKPIs) measured from the network that may indicate a root cause of a tKPI anomaly. The network assurance service applies a machine learning-based anomaly detector to the tKPI over time, to generate tKPI anomaly scores. The network assurance service calculates, for each of cKPIs, a mean and standard deviation of that cKPI using a plurality of different time windows associated with the tKPI anomaly scores. The network assurance service uses the calculated means and standard deviations of the cKPIs in the different time windows to calculate cross-correlation scores between the tKPI anomaly scores and the cKPIs. The network assurance service selects one or more of the cKPIs as the root cause of the tKPI anomaly based on their calculated cross-correlation scores.

Abstract: In one embodiment, a network assurance service that monitors a plurality of networks subdivides telemetry data regarding devices located in the networks into subsets, wherein each subset is associated with a device type, time period, metric type, and network. The service summarizes each subset by computing distribution percentiles of metric values in the subset. The service identifies an outlier subset by comparing distribution percentiles that summarize the subsets. The service reports insight data regarding the outlier subset to a user interface. The service adjusts the subsets based in part on feedback regarding the insight data from the user interface.

Abstract: In one embodiment, a network assurance service receives one or more sets of network characteristics of a network, each network characteristic forming a different feature dimension in a multi-dimensional feature space. The network assurance service applies machine learning-based anomaly detection to the one or more sets of network characteristics, to label each set of network characteristics as anomalous or non-anomalous. The network assurance service identifies, based on the labeled one or more sets of network characteristics, an anomaly pattern as a collection of unidimensional cutoffs in the feature space. The network assurance service initiates a change to the network based on the identified anomaly pattern.

Abstract: In one embodiment, a device receives traffic telemetry data captured by a plurality of networks and used by device classification services in the networks to classify endpoints in the networks with device types. The device compares the telemetry data from a particular one of the networks to the telemetry data from the other networks to identify one or more traffic characteristics that are missing from the telemetry data for one or more endpoints of the particular network. The device identifies a networking entity in the particular network that is common to the one or more endpoints for which the one or more characteristics are missing. The device determines a configuration change for the networking entity by comparing a current configuration of the entity to those of one or more entities in the other networks. The device initiates implementation of the determined configuration change for the entity in the particular network.