Abstract: In one embodiment, a device in a network captures a first set of packets based on first packet capture criterion. The captured first set of packets is provided for deep packet inspection and anomaly detection. The device receives a second packet capture criterion that differs from the first packet capture criterion. The device captures a second set of packets based on the second packet capture criterion. The device provides the captured second set of packets for deep packet inspection and anomaly detection. The anomaly detection of the captured first and second sets of packets is performed by a machine learning-based anomaly detector configured to generate anomaly detection results based in part on one or more traffic metrics gathered from the network and based further in part on deep packet inspection results of packets captured in the network.

Abstract: In one embodiment, a device in a network analyzes data regarding a detected anomaly in the network. The device determines whether the detected anomaly is a false positive. The device generates a white label for the detected anomaly based on a determination that the detected anomaly is a false positive. The device causes one or more alerts regarding the detected anomaly to be suppressed using the generated white label for the anomaly.

Abstract: In one embodiment, a device receives a classifier tracking request from a coordinator device that specifies a classifier verification time period. During the classifier verification time period, the device classifies a set of network traffic that includes traffic observed by the device and attack traffic specified by the coordinator device. The device generates classification results based on the classified set of network traffic and provides the classification results to the coordinator device.

Abstract: In one embodiment, a traffic model manager node receives data flows in a network and determines a degree to which the received data flows conform to one or more traffic models classifying particular types of data flows as non-malicious. If the degree to which the received data flows conform to the one or more traffic models is sufficient, the traffic model manager node characterizes the received data flows as non-malicious. Otherwise, the traffic model manager node provides the received data flows to a denial of service (DoS) attack detector in the network to allow the received data flows to be scanned for potential attacks.

Abstract: In one embodiment, a first data set is received by a network device that is indicative of the statuses of a plurality of network devices when a type of network attack is not present. A second data set is also received that is indicative of the statuses of the plurality of network devices when the type of network attack is present. At least one of the plurality simulates the type of network attack by operating as an attacking node. A machine learning model is trained using the first and second data set to identify the type of network attack. A real network attack is then identified using the trained machine learning model.

Abstract: In one embodiment, a device in a network receives feedback regarding an anomaly reporting mechanism used by the device to report network anomalies detected by a plurality of distributed learning agents to a user interface. The device determines an anomaly assessment rate at which a user of the user interface is expected to assess reported anomalies based in part on the feedback. The device receives an anomaly notification regarding a particular anomaly detected by a particular one of the distributed learning agents. The device reports, via the anomaly reporting mechanism, the particular anomaly to the user interface based on the determined anomaly assessment rate.

Abstract: In one embodiment, a device in a network monitors a selective anomaly forwarding mechanism deployed in the network. The selective anomaly forwarding mechanism causes a participating node in the mechanism to selectively forward detected network anomalies to the device. The device monitors one or more resources of the network. The device determines an adjustment to the selective anomaly forwarding mechanism based on the one or more monitored resources of the network. The device implements the determined adjustment to the selective anomaly forwarding mechanism.

Abstract: In one embodiment, a device in a network determines cluster assignments that assign traffic data regarding traffic in the network to activity level clusters based on one or more measures of traffic activity in the traffic data. The device uses the cluster assignments to predict seasonal activity for a particular subset of the traffic in the network. The device determines an activity level for new traffic data regarding the particular subset of traffic in the network. The device detects a network anomaly by comparing the activity level for the new traffic data to the predicted seasonal activity.

Abstract: In one embodiment, a device in a network generates an expected traffic model based on a training set of data used to train a machine learning attack detector. The device provides the expected traffic model to one or more nodes in the network. The device receives an unexpected behavior notification from a particular node of the one or more nodes. The particular node generates the unexpected behavior notification based on a comparison between the expected traffic model and an observed traffic behavior by the node. The particular node also prevents the machine learning attack detector from analyzing the observed traffic behavior. The device updates the machine learning attack detector to account for the observed traffic behavior.

Abstract: In one embodiment, a device receives a classifier tracking request from a coordinator device that specifies a classifier verification time period. During the classifier verification time period, the device classifies a set of network traffic that includes traffic observed by the device and attack traffic specified by the coordinator device. The device generates classification results based on the classified set of network traffic and provides the classification results to the coordinator device.

Abstract: In one embodiment, a device in a network identifies a set of traffic flow records that triggered an attack detector. The device selects a subset of the traffic flow records and calculates aggregated metrics for the subset. The device provides the aggregated metrics for the subset to the attack detector to generate an attack detection determination for the subset of traffic flow records. The device identifies one or more attack traffic flows from the set of traffic flow records based on the attack detection determination for the subset of traffic flow records.

Abstract: In one embodiment, a device in a network receives information regarding one or more attack detection service level agreements. The device identifies a set of attack detection classifiers as potential voters in a voting mechanism used to detect a network attack. The device determines one or more parameters for the voting mechanism based on the information regarding the one or more attack detection service level agreements. The device adjusts the voting mechanism used by the potential voters based on the one or more parameters for the voting mechanism.

Abstract: In one embodiment, data flows are received in a network, and information relating to the received data flows is provided to a machine learning attack detector. Then, in response to receiving an attack detection indication from the machine teaming attack detector, a traffic segregation procedure is performed including: computing an anomaly score for each of the received data flows based on a degree of divergence from an expected traffic model, determining a subset of the received data flows that have an anomaly score that is lower than or equal to an anomaly threshold value, and providing information relating to the subset of the received data flows to the machine learning attack detector.

Abstract: In one embodiment, a device receives a classifier tracking request from a coordinator device that specifies a classifier verification time period. During the classifier verification time period, the device classifies a set of network traffic that includes traffic observed by the device and attack traffic specified by the coordinator device. The device generates classification results based on the classified set of network traffic and provides the classification results to the coordinator device.

Abstract: In one embodiment, a device in a network analyzes data regarding a detected anomaly in the network. The device determines whether the detected anomaly is a false positive. The device generates a white label for the detected anomaly based on a determination that the detected anomaly is a false positive. The device causes one or more alerts regarding the detected anomaly to be suppressed using the generated white label for the anomaly.

Abstract: In one embodiment, a device in a network captures a first set of packets based on first packet capture criterion. The captured first set of packets is provided for deep packet inspection and anomaly detection. The device receives a second packet capture criterion that differs from the first packet capture criterion. The device captures a second set of packets based on the second packet capture criterion. The device provides the captured second set of packets for deep packet inspection and anomaly detection. The anomaly detection of the captured first and second sets of packets is performed by a machine learning-based anomaly detector configured to generate anomaly detection results based in part on one or more traffic metrics gathered from the network and based further in part on deep packet inspection results of packets captured in the network.

Abstract: In one embodiment, a device determines that a machine learning model is to be trained by a plurality of devices in a network. A set of training devices are identified from among the plurality of devices to train the model, with each of the training devices having a local set of training data. An instruction is then sent to each of the training devices that is configured to cause a training device to receive model parameters from a first training device in the set, use the parameters with at least a portion of the local set of training data to generate new model parameters, and forward the new model parameters to a second training device in the set. Model parameters from the training devices are also received that have been trained using a global set of training data that includes the local sets of training data on the training devices.

Abstract: In one embodiment, attack observations by a first node are provided to a user interface device regarding an attack detected by the node. Input from the user interface device is received that confirms that a particular attack observation by the first node indicates that the attack was detected correctly by the first node. Attack observations by one or more other nodes are provided to the user interface device. Input is received from the user interface device that confirms whether the attack observations by the first node and the attack observations by the one or more other nodes are both related to the attack. The one or more other nodes are identified as potential voters for the first node in a voting-based attack detection mechanism based on the attack observations from the first node and the one or more other nodes being related.

Abstract: In one embodiment, a device determines that input data to a machine learning model sent from a plurality of source nodes to an aggregation node is causing network congestion. A set of one or more other nodes to perform aggregation of the machine learning model input data is selected. A type of aggregation to be performed by the set of one or more other nodes is also selected. The set of one or more other nodes is also instructed to perform the selected type of aggregation on the data sent from the source nodes.

Abstract: In one embodiment, a first network device receives a notification that the first network device has been selected to validate a machine learning model for a second network device. The first network device receives model parameters for the machine learning model that were generated by the second network device using training data on the second network device. The model parameters are used with local data on the first network device to determine performance metrics for the model parameters. The performance metrics are then provided to the second network device.