Abstract: In one embodiment, a device receives traffic telemetry data captured by a plurality of networks and used by device classification services in the networks to classify endpoints in the networks with device types. The device compares the telemetry data from a particular one of the networks to the telemetry data from the other networks to identify one or more traffic characteristics that are missing from the telemetry data for one or more endpoints of the particular network. The device identifies a networking entity in the particular network that is common to the one or more endpoints for which the one or more characteristics are missing. The device determines a configuration change for the networking entity by comparing a current configuration of the entity to those of one or more entities in the other networks. The device initiates implementation of the determined configuration change for the entity in the particular network.

Abstract: In one embodiment, a network assurance service receives a first set of telemetry data captured in a first network monitored by the network assurance service. The network assurance service computes, for each of a plurality of other networks monitored by the service, a similarity score between the first set of telemetry data and a set of telemetry data captured in that other network. The service selects a machine learning-based anomaly detector trained using a particular one of the sets of telemetry data captured in one of the plurality of other networks, based on the computed similarity score between the first set of telemetry data and the particular set of telemetry data captured in one of the plurality of other networks. The service uses the selected anomaly detector to assess telemetry data from the first network, until the service has received a threshold amount of telemetry data for the first network.

Abstract: In one embodiment, a label stability analyzer service receives classification data indicative of device type labels assigned to endpoints in a network by a device classification service. The label stability analyzer service counts device type label changes made by the device classification service to the endpoints. The label stability analyzer service computes variability metrics for the device type labels, wherein the variability metric for a device type label is based on a count of the device type label changes associated with that label. The label stability analyzer service determines, based on one of the variability metrics for a particular one of the device type labels exceeding a threshold value, a configuration change for the device classification service that adjusts how the device classification service applies the particular label to endpoints. The label stability analyzer service provides the configuration change to the device classification service.

Abstract: In one embodiment, a network element in a network maintains a probabilistic data structure indicative of devices in the network for which telemetry data is not to be sent to a device classification service. The network element detects a traffic flow sent from a source device to a destination device. The network element determines whether the probabilistic data structure includes entries for both the source and destination devices of the traffic flow. The network element sends flow telemetry data regarding the traffic flow to the device classification service, based on a determination that the probabilistic data structure does not include entries for both the source and destination of the traffic flow.

Abstract: In one embodiment, a device classification service extracts, for each of a plurality of time windows, one or more sets of traffic features of network traffic in a network from traffic telemetry data captured by the network. The service represents, for the time windows, the extracted one or more sets of traffic features as feature vectors. A feature vector for a time window indicates whether each of the traffic features was present in the network traffic during that window. The service trains, using a training dataset based on the feature vectors, a cascade of machine learning classifiers to label devices with device types. The service uses the classifiers to label a particular device in the network with a device type based on the traffic features of network traffic associated with that device. The service initiates enforcement of a network policy regarding the device based on its device type.

Abstract: In one embodiment, techniques are shown and described relating to traffic-based inference of influence domains in a network by using learning machines. In particular, in one embodiment, a management device computes a time-based traffic matrix indicating traffic between pairs of transmitter and receiver nodes in a computer network, and also determines a time-based quality parameter for a particular node in the computer network. By correlating the time-based traffic matrix and time-based quality parameter for the particular node, the device may then determine an influence of particular traffic of the traffic matrix on the particular node.

Abstract: In one embodiment, a device in a network receives a notification of a particular anomaly detected by a distributed learning agent in the network that executes a machine learning-based anomaly detector to analyze traffic in the network. The device computes one or more distance scores between the particular anomaly and one or more previously detected anomalies. The device also computes one or more relevance scores for the one or more previously detected anomalies. The device determines a reporting score for the particular anomaly based on the one or more distance scores and on the one or more relevance scores. The device reports the particular anomaly to a user interface based on the determined reporting score.

Abstract: In one embodiment, a network assurance service that monitors a network detects, using a machine learning-based anomaly detector, network anomalies associated with source nodes in the monitored network. The network assurance service identifies, for each of the detected anomalies, a set of network paths between the source nodes associated with the anomaly and one or more potential destinations of traffic for that source node. The network assurance service correlates networking devices along the network paths in the identified sets of network paths with the detected network anomalies. The network assurance service adjusts the machine learning-based anomaly detector to use a performance measurement for a particular one of the networking devices as an input feature, based on the correlation between the particular networking device and the detected network anomalies.

Abstract: In one embodiment, a network assurance service executing in a local network clusters measurements obtained from the local network regarding a plurality of devices in the local network into measurement clusters. The network assurance service computes aggregated metrics for each of the measurement clusters. The network assurance service sends a machine learning model computation request to a remote service outside of the local network that includes the aggregated metrics for each of the measurement clusters. The remote service uses the aggregated metrics to train a machine learning-based model to analyze the local network. The network assurance service receives the trained machine learning-based model to analyze performance of the local network. The network assurance service uses the receive machine learning-based model to analyze performance of the local network.

Abstract: In one embodiment, a service identifies a performance issue exhibited by a first device in a first network. The service forms a set of one or more time series of one or more characteristics of the first device associated with the identified performance issue. The service generates a mapping between the set of one or more time series of one or more characteristics of the first device to one or more time series of one or more characteristics of a second device in a second network. The mapping comprises a relevancy score that quantifies a degree of similarity between the characteristics of the first and second devices. The service determines a likelihood of the second device exhibiting the performance issue based on the generated mapping and on the relevancy score. The service provides an indication of the determined likelihood to a user interface associated with the second network.

Abstract: In one embodiment, a network assurance service that monitors a network detects a behavioral anomaly in the network using an anomaly detector that compares an anomaly detection threshold to a target value calculated based on a first set of one or more measurements from the network. The service uses an explanation model to predict when the anomaly detector will detect anomalies. The explanation model takes as input a second set of one or more measurements from the network that differs from the first set. The service determines that the detected anomaly is explainable, based on the explanation model correctly predicting the detection of the anomaly by the anomaly detector. The service provides an anomaly detection alert for the detected anomaly to a user interface, based on the detected anomaly being explainable. The anomaly detection alert indicates at least one measurement from the second set as an explanation for the anomaly.

Abstract: In one embodiment, a network assurance service that monitors a network detects a behavioral anomaly in the network using an anomaly detector that compares an anomaly detection threshold to a target value calculated based on a first set of one or more measurements from the network. The service uses an explanation model to predict when the anomaly detector will detect anomalies. The explanation model takes as input a second set of one or more measurements from the network that differs from the first set. The service determines that the detected anomaly is explainable, based on the explanation model correctly predicting the detection of the anomaly by the anomaly detector. The service provides an anomaly detection alert for the detected anomaly to a user interface, based on the detected anomaly being explainable. The anomaly detection alert indicates at least one measurement from the second set as an explanation for the anomaly.

Abstract: In one embodiment, a device in a network receives data indicative of a target state for one or more distributed learning agents in the network. The device determines a difference between the target state and state information maintained by the device regarding the one or more distributed learning agents. The device calculates a synchronization penalty score for each of the one or more distributed learning agents. The device selects a particular one of the one or more distributed learning agents with which to synchronize, based on the synchronization penalty score for the selected distributed learning agent and on the determined difference between the target state and the state information regarding the selected distributed learning agent. The device initiates synchronization of the state information maintained by the device regarding the selected distributed learning agent with state information from the selected distributed learning agent.

Abstract: In one embodiment, techniques are shown and described relating to traffic-based inference of influence domains in a network by using learning machines. In particular, in one embodiment, a management device computes a time-based traffic matrix indicating traffic between pairs of transmitter and receiver nodes in a computer network, and also determines a time-based quality parameter for a particular node in the computer network. By correlating the time-based traffic matrix and time-based quality parameter for the particular node, the device may then determine an influence of particular traffic of the traffic matrix on the particular node.

Abstract: In one embodiment, a network assurance service executing in a local network clusters measurements obtained from the local network regarding a plurality of devices in the local network into measurement clusters. The network assurance service computes aggregated metrics for each of the measurement clusters. The network assurance service sends a machine learning model computation request to a remote service outside of the local network that includes the aggregated metrics for each of the measurement clusters. The remote service uses the aggregated metrics to train a machine learning-based model to analyze the local network. The network assurance service receives the trained machine learning-based model to analyze performance of the local network. The network assurance service uses the receive machine learning-based model to analyze performance of the local network.

Abstract: In one embodiment, a network assurance service uses a first machine-learning based model that is locally deployed to a network to assess a set of input features comprising measurements from the network. The service monitors, locally in the network, performance of the first machine learning-based model. The service determines that the monitored performance of the first machine learning-based model does not meet one or more performance requirements associated with the network. The service selects a second machine learning-based model for deployment to the network, based on the one or more performance requirements associated with the network and on the set of input features of the first machine learning-based model. The service deploys the selected second machine learning-based model to the network as a replacement for the first machine learning-based model.

Abstract: In one embodiment, a network assurance service that monitors a network detects a set of anomalous measurements from the network over time by applying a machine learning-based anomaly detector to the measurements. The service computes, for each of the anomalous measurements, an anomaly severity score based on weighted severity factors used to compute anomaly severity scores. The severity factors include one or more of: a device type associated with the measurements, a duration of the anomalous measurements, a network impact associated with the anomalous measurements, or an aggregate metric based on distances between the measurements and a prediction band of the anomaly detector. The service sends an anomaly alert to a user interface, based on the computed anomaly severity score, and receives feedback from the user interface regarding the anomaly alert. The service adjusts, based on the received feedback, weightings of the severity factors used to compute anomaly severity scores.

Abstract: In one embodiment, a network assurance service executing in a local network clusters measurements obtained from the local network regarding a plurality of devices in the local network into measurement clusters. The network assurance service computes aggregated metrics for each of the measurement clusters. The network assurance service sends a machine learning model computation request to a remote service outside of the local network that includes the aggregated metrics for each of the measurement clusters. The remote service uses the aggregated metrics to train a machine learning-based model to analyze the local network. The network assurance service receives the trained machine learning-based model to analyze performance of the local network. The network assurance service uses the receive machine learning-based model to analyze performance of the local network.

Abstract: In one embodiment, a network assurance service that monitors a plurality of networks subdivides telemetry data regarding devices located in the networks into subsets, wherein each subset is associated with a device type, time period, metric type, and network. The service summarizes each subset by computing distribution percentiles of metric values in the subset. The service identifies an outlier subset by comparing distribution percentiles that summarize the subsets. The service reports insight data regarding the outlier subset to a user interface. The service adjusts the subsets based in part on feedback regarding the insight data from the user interface.

Abstract: In one embodiment, one or more reporting nodes are selected to report network metrics in a network. From a monitoring node in the network, a trigger message is sent to the one or more reporting nodes. The trigger message may trigger the one or more reporting nodes to report one or more network metrics local to the respective reporting node. In response to the trigger message, a report of the one or more network metrics is received at the monitoring node from one of the one or more reporting nodes.