Abstract: In one embodiment, a device in a network receives anomaly data regarding an anomaly detected by a machine learning-based anomaly detection mechanism of a first node in the network. The device matches the anomaly data to threat intelligence feed data from one or more threat intelligence services. The device determines whether to provide threat intelligence feedback to the first node based on the matched threat intelligence feed data and one or more policy rules. The device provides threat intelligence feedback to the first node regarding the matched threat intelligence feed data, in response to determining that the device should provide threat intelligence feedback to the first node.

Abstract: In one embodiment, a network assurance service receives a first set of telemetry data captured in a first network monitored by the network assurance service. The network assurance service computes, for each of a plurality of other networks monitored by the service, a similarity score between the first set of telemetry data and a set of telemetry data captured in that other network. The service selects a machine learning-based anomaly detector trained using a particular one of the sets of telemetry data captured in one of the plurality of other networks, based on the computed similarity score between the first set of telemetry data and the particular set of telemetry data captured in one of the plurality of other networks. The service uses the selected anomaly detector to assess telemetry data from the first network, until the service has received a threshold amount of telemetry data for the first network.

Abstract: In one embodiment, a network assurance system discretizes parameter values of a plurality of time series of measurements obtained from a monitored network by assigning tags to the parameter values. The network assurance system detects occurrences of a particular type of failure event in the monitored network. The network assurance system identifies a set of the assigned tags that frequently co-occur with the occurrences of the particular type of failure event. The network assurance system determines, using a Bayesian framework, rankings for the tags in the identified set based on how well each of the tags acts as a predictor of the failure event. The network assurance system initiates performance of a corrective measure for the failure event based in part on the determined rankings for the tags in the identified set.

Abstract: In one embodiment, a network assurance service applies labels to feature vectors of network characteristics associated with a plurality of wireless access points in the network. An applied label for a feature vector indicates whether the access point associated with the feature vector experienced a threshold number of onboarding delays within a given time window. The service, based on the feature vectors and labels, trains a plurality of machine learning-based classifiers to predict onboarding delays, and uses one or more of the trained plurality of classifiers to predict onboarding delays for a particular access point. The service calculates one or more classifier performance metrics for the one or more classifiers based on the predicted onboarding delays for the particular access point. The service selects a particular one of the classifiers to monitor the network characteristics associated with the particular access point, based on the one or more classifier performance metrics.

Abstract: In one embodiment, a device receives data regarding usage of access points in a network by a plurality of clients in the network. The device maintains an access point graph that represents the access points in the network as vertices of the access point graph. The device generates, for each of the plurality of clients, client trajectories as trajectory subgraphs of the access point graph. A particular client trajectory for a particular client comprises a set of edges between a subset of the vertices of the access point graph and represents transitions between access points in the network performed by the particular client. The device identifies a transition pattern from the client trajectories by deconstructing the trajectory subgraphs. The device uses the identified transition pattern to effect a configuration change in the network.

Abstract: In one embodiment, a device in a network obtains characteristic data regarding one or more traffic flows in the network. The device incrementally estimates an amount of noise associated with a machine learning feature using bootstrapping. The machine learning feature is derived from the sampled characteristic data. The device applies a filter to the estimated amount of noise associated with the machine learning feature, to determine a value for the machine learning feature. The device identifies a network anomaly that exists in the network by using the determined value for the machine learning feature as input to a machine learning-based anomaly detector. The device causes performance of an anomaly mitigation action based on the identified network anomaly.

Abstract: In one embodiment, a labeling service receives traffic feature data for a cluster of endpoint devices in a network. A device classification service forms the cluster of endpoint devices by applying machine learning-based clustering to the feature data. The labeling service selects a subset of the endpoint devices in the cluster, in an effort to maximize diversity of the traffic feature data of the selected endpoint devices. The labeling service sends a control command into the network, to trigger a traffic behavior by the selected subset. The labeling service receives updated traffic feature data for the selected subset associated with the triggered traffic behavior. The labeling service controls whether a label request is sent to a user interface for labeling of the cluster of endpoint devices with a device type, based on the updated traffic feature data for the subset of endpoint devices in the cluster.

Abstract: In one embodiment, a device in a network maintains a plurality of anomaly detection models for different sets of aggregated traffic data regarding traffic in the network. The device determines a measure of confidence in a particular one of the anomaly detection models that evaluates a particular set of aggregated traffic data. The device dynamically replaces the particular anomaly detection model with a second anomaly detection model configured to evaluate the particular set of aggregated traffic data and has a different model capacity than that of the particular anomaly detection model. The device provides an anomaly event notification to a supervisory controller based on a combined output of the second anomaly detection model and of one or more of the anomaly detection models in the plurality of anomaly detection models.

Abstract: In one embodiment, a network assurance service that monitors a network detects anomalies in the network by applying one or more machine learning models to telemetry data from the network. The network assurance service ranks feedback from a plurality of anomaly rankers regarding relevancy or criticality of the detected anomalies. The network assurance service clusters the plurality of anomaly rankers into clusters of similar rankers, based on the received ranking feedback. The network assurance service uses the clusters of similar rankers to assign reliability scores to each of the anomaly rankers. The network assurance service selects, based on the reliability scores, a subset of the plurality of anomaly rankers to receive an anomaly detection alert regarding a particular detected anomaly to be ranked. The network assurance service provides the anomaly detection alert to the selected subset of the plurality of anomaly rankers for ranking.

Abstract: In one embodiment, a local service of a network reports configuration information regarding the network to a cloud-based network assurance service. The local service receives a classifier selected by the cloud-based network assurance service based on the configuration information regarding the network. The local service classifies, using the received classifier, telemetry data collected from the network, to select a modeling strategy for the network. The local service installs, based on the modeling strategy for the network, a machine learning-based model to the local service for monitoring the network.

Abstract: In one embodiment, a device clusters traffic feature vectors for a plurality of endpoints in a network into a set of clusters. Each traffic feature vector comprises traffic telemetry data captured for one of the endpoints. The device selects one of the clusters for labeling, based in part on contextual data associated with the clusters that was not used to form the clusters. The device obtains a device type label for the selected cluster by providing data regarding the selected cluster and the contextual data associated with that cluster to a user interface. The device provides the device type label and the traffic feature vectors associated with the selected cluster for training a machine learning-based device type classifier.

Abstract: In one embodiment, a labeling service receives traffic feature data for a cluster of endpoint devices in a network. A device classification service forms the cluster of endpoint devices by applying machine learning-based clustering to the feature data. The labeling service selects a subset of the endpoint devices in the cluster, in an effort to maximize diversity of the traffic feature data of the selected endpoint devices. The labeling service sends a control command into the network, to trigger a traffic behavior by the selected subset. The labeling service receives updated traffic feature data for the selected subset associated with the triggered traffic behavior. The labeling service controls whether a label request is sent to a user interface for labeling of the cluster of endpoint devices with a device type, based on the updated traffic feature data for the subset of endpoint devices in the cluster.

Abstract: In one embodiment, a labeling service receives telemetry data for a cluster of endpoint devices in a first network environment. The endpoint devices in the cluster are clustered by a device classification service based on their telemetry data and labeled by a device type classifier of the device classification service as being of an unknown device type. The labeling service obtains a first device type label for the cluster of endpoint devices via a first user interface. The labeling service identifies one or more other network environments in which endpoint devices are located that have similar telemetry data as that of the cluster of endpoint devices. The labeling service obtains device type labels for the cluster of endpoint devices via a selected set of user interfaces from the identified one or more other network environments.

Abstract: In one embodiment, a device classification service receives data indicative of network traffic policies assigned to a plurality of device types. The device classification service associates measures of policy restrictiveness with the device types, based on the received data indicative of the network traffic policies assigned to the plurality of device types. The device classification service determines misclassification costs associated with a machine learning-based device type classifier of the service misclassifying an endpoint device of one of the plurality device types with another of the plurality of device types, based on their associated measures of policy restrictiveness. The device classification service adjusts the machine learning-based device type classifier to account for the determined misclassification costs.

Abstract: In one embodiment, a network assurance service that monitors a plurality of networks obtains characteristic data regarding network entities deployed in the plurality of networks. The network assurance service assigns the network entities to entity clusters by applying a clustering mechanism to the characteristic data regarding the network entities. The network assurance service generates, for each of the entity clusters, a training dataset using the characteristic data for the network entities assigned to that cluster. The network assurance service uses, for each of the entity clusters, the training datasets for an entity cluster to train a machine learning-based model that models the behavior of that entity cluster.

Abstract: In one embodiment, a device in a network determines cluster assignments that assign traffic data regarding traffic in the network to activity level clusters based on one or more measures of traffic activity in the traffic data. The device uses the cluster assignments to predict seasonal activity for a particular subset of the traffic in the network. The device determines an activity level for new traffic data regarding the particular subset of traffic in the network. The device detects a network anomaly by comparing the activity level for the new traffic data to the predicted seasonal activity.

Abstract: In one embodiment, a device classification service receives a plurality of device classification rulesets, each ruleset associating a set of device characteristics with a device type label. The device classification service forms a unified ruleset by resolving a conflict between conflicting device characteristics from two or more of the device classification rulesets. The device classification service trains a machine learning-based device classifier using the unified ruleset. The device classification service classifies, using telemetry data for a device in a network as input to the trained device classifier, the device with the device type label.

Abstract: In one embodiment, a network assurance service maintains a first set of telemetry data from the network anonymized using a first key regarding a plurality of network entities in a monitored network. The service receives a key rotation notification indicative of a key changeover from the first key to a second key for anonymization of a second set of telemetry data from the network. The service forms, during a key rotation time period associated with the key changeover, a mapped dataset by converting anonymized tokens in the second set of telemetry data into anonymized tokens in the first set of telemetry data. The service augments, during the key rotation time period, the first set of telemetry data with the mapped dataset. The service assesses, during the time period, performance of the network by applying a machine learning-based model to the first set of telemetry data augmented with the mapped dataset.

Abstract: In one embodiment, a device classification service that uses a machine learning-based device type classifier to classify endpoint devices with device types, identifies a set of device types having similar associated traffic telemetry features. The service obtains, via one or more user interfaces, feedback indicative of whether the device type classifier misclassifying an endpoint device having a particular device type in the set with another device type in the set would be a critical misclassification. The service trains, using the obtained feedback, a prediction model to predict an impact of misclassifying the particular device type as one of the other device types in the set of device types. The service also retrains the machine learning-based device type classifier based on a prediction from the prediction model.

Abstract: In one embodiment, a device classification service assigns a set of endpoint devices to a context group. The device classification service forms a context summary feature vector for the context group that summarizes telemetry feature vectors for the endpoint devices assigned to the context group. Each telemetry feature vector is indicative of a plurality of traffic features observed for the endpoint devices. The device classification service normalizes a telemetry feature vector for a particular endpoint device using the context summary feature vector. The device classification service classifies, using the normalized telemetry feature vector for the particular endpoint device as input to a device type classifier, the particular endpoint device as being of a particular device type.