Patents by Inventor Laurent Sartran

Laurent Sartran has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 10389741
    Abstract: In one embodiment, a device in a network identifies a new interaction between two or more nodes in the network. The device forms a feature vector using contextual information associated with the new interaction between the two or more nodes. The device causes generation of an anomaly detection model for new node interactions using the feature vector. The device uses the anomaly detection model to determine whether a particular node interaction in the network is anomalous.
    Type: Grant
    Filed: May 24, 2016
    Date of Patent: August 20, 2019
    Assignee: Cisco Technology, Inc.
    Inventors: Pierre-André Savalle, Laurent Sartran, Jean-Philippe Vasseur, Grégory Mermoud
  • Patent number: 10389606
    Abstract: In one embodiment, a device in a network identifies a plurality of traffic records as anomalous. The device matches each of the plurality of traffic records to one or more anomalies using one or more anomaly graphs. A particular anomaly graph represents hosts in the network as vertices in the graph and communications between hosts as edges in the graph. The device applies one or more ordering rules to the traffic records, to uniquely associate each traffic record to an anomaly in the one or more anomalies. The device sends an anomaly notification for a particular anomaly that is based on the traffic records associated with the particular anomaly.
    Type: Grant
    Filed: July 15, 2016
    Date of Patent: August 20, 2019
    Assignee: Cisco Technology, Inc.
    Inventors: Laurent Sartran, Grégory Mermoud
  • Patent number: 10320824
    Abstract: In one embodiment, a device in a network receives traffic metrics for a plurality of applications in the network. The device populates a feature space for a machine learning-based anomaly detector. The device identifies a missing dataset in the feature space for a particular one of the plurality of applications. The device adjusts how traffic is sent in the network, to capture the missing dataset.
    Type: Grant
    Filed: January 7, 2016
    Date of Patent: June 11, 2019
    Assignee: Cisco Technology, Inc.
    Inventors: Jean-Philippe Vasseur, Grégory Mermoud, Laurent Sartran
  • Publication number: 20190081973
    Abstract: In one embodiment, a device in a network maintains a plurality of anomaly detection models for different sets of aggregated traffic data regarding traffic in the network. The device determines a measure of confidence in a particular one of the anomaly detection models that evaluates a particular set of aggregated traffic data. The device dynamically replaces the particular anomaly detection model with a second anomaly detection model configured to evaluate the particular set of aggregated traffic data and has a different model capacity than that of the particular anomaly detection model. The device provides an anomaly event notification to a supervisory controller based on a combined output of the second anomaly detection model and of one or more of the anomaly detection models in the plurality of anomaly detection models.
    Type: Application
    Filed: November 14, 2018
    Publication date: March 14, 2019
    Inventors: Pierre-André Savalle, Grégory Mermoud, Laurent Sartran, Jean-Philippe Vasseur
  • Patent number: 10218729
    Abstract: In one embodiment, a device in a network receives sets of traffic flow features from an unsupervised machine learning-based anomaly detector. The sets of traffic flow features are associated with anomaly scores determined by the anomaly detector. The device ranks the sets of traffic flow features based in part on their anomaly scores. The device applies a genetic programming approach to the ranked sets of traffic flow features to generate new sets of traffic flow features. The genetic programming approach uses a fitness function that is based in part on the rankings of the sets of traffic flow features. The device specializes the anomaly detector to emphasize a particular type of anomaly using the new sets of traffic flow features.
    Type: Grant
    Filed: July 8, 2016
    Date of Patent: February 26, 2019
    Assignee: Cisco Technology, Inc.
    Inventors: Sébastien Gay, Laurent Sartran, Jean-Philippe Vasseur
  • Patent number: 10164991
    Abstract: In one embodiment, a device in a network maintains a plurality of anomaly detection models for different sets of aggregated traffic data regarding traffic in the network. The device determines a measure of confidence in a particular one of the anomaly detection models that evaluates a particular set of aggregated traffic data. The device dynamically replaces the particular anomaly detection model with a second anomaly detection model configured to evaluate the particular set of aggregated traffic data and has a different model capacity than that of the particular anomaly detection model. The device provides an anomaly event notification to a supervisory controller based on a combined output of the second anomaly detection model and of one or more of the anomaly detection models in the plurality of anomaly detection models.
    Type: Grant
    Filed: June 8, 2016
    Date of Patent: December 25, 2018
    Assignee: Cisco Technology, Inc.
    Inventors: Pierre-André Savalle, Grégory Mermoud, Laurent Sartran, Jean-Philippe Vasseur
  • Publication number: 20180241762
    Abstract: In one embodiment, a device in a network receives a notification of a particular anomaly detected by a distributed learning agent in the network that executes a machine learning-based anomaly detector to analyze traffic in the network. The device computes one or more distance scores between the particular anomaly and one or more previously detected anomalies. The device also computes one or more relevance scores for the one or more previously detected anomalies. The device determines a reporting score for the particular anomaly based on the one or more distance scores and on the one or more relevance scores. The device reports the particular anomaly to a user interface based on the determined reporting score.
    Type: Application
    Filed: February 23, 2017
    Publication date: August 23, 2018
    Inventors: Pierre-André Savalle, Grégory Mermoud, Laurent Sartran, Jean-Philippe Vasseur
  • Publication number: 20180152466
    Abstract: In one embodiment, a device in a network obtains characteristic data regarding one or more traffic flows in the network. The device incrementally estimates an amount of noise associated with a machine learning feature using bootstrapping. The machine learning feature is derived from the sampled characteristic data. The device applies a filter to the estimated amount of noise associated with the machine learning feature, to determine a value for the machine learning feature. The device identifies a network anomaly that exists in the network by using the determined value for the machine learning feature as input to a machine learning-based anomaly detector. The device causes performance of an anomaly mitigation action based on the identified network anomaly.
    Type: Application
    Filed: November 30, 2016
    Publication date: May 31, 2018
    Inventors: Laurent Sartran, Sébastien Gay, Jean-Philippe Vasseur, Grégory Mermoud
  • Publication number: 20180077182
    Abstract: In one embodiment, a device in a network receives traffic records indicative of network traffic between different sets of host address pairs. The device identifies one or more address grouping constraints for the sets of host address pairs. The device determines address groups for the host addresses in the sets of host address pairs based on the one or more address grouping constraints. The device provides an indication of the address groups to an anomaly detector.
    Type: Application
    Filed: September 13, 2016
    Publication date: March 15, 2018
    Inventors: Laurent Sartran, Sébastien Gay, Pierre-André Savalle, Grégory Mermoud, Jean-Philippe Vasseur
  • Publication number: 20180013776
    Abstract: In one embodiment, a device in a network receives sets of traffic flow features from an unsupervised machine learning-based anomaly detector. The sets of traffic flow features are associated with anomaly scores determined by the anomaly detector. The device ranks the sets of traffic flow features based in part on their anomaly scores. The device applies a genetic programming approach to the ranked sets of traffic flow features to generate new sets of traffic flow features. The genetic programming approach uses a fitness function that is based in part on the rankings of the sets of traffic flow features. The device specializes the anomaly detector to emphasize a particular type of anomaly using the new sets of traffic flow features.
    Type: Application
    Filed: July 8, 2016
    Publication date: January 11, 2018
    Inventors: Sébastien Gay, Laurent Sartran, Jean-Philippe Vasseur
  • Publication number: 20170279694
    Abstract: In one embodiment, a device in a network identifies a plurality of traffic records as anomalous. The device matches each of the plurality of traffic records to one or more anomalies using one or more anomaly graphs. A particular anomaly graph represents hosts in the network as vertices in the graph and communications between hosts as edges in the graph. The device applies one or more ordering rules to the traffic records, to uniquely associate each traffic record to an anomaly in the one or more anomalies. The device sends an anomaly notification for a particular anomaly that is based on the traffic records associated with the particular anomaly.
    Type: Application
    Filed: July 15, 2016
    Publication date: September 28, 2017
    Inventors: Laurent Sartran, Grégory Mermoud
  • Publication number: 20170279827
    Abstract: In one embodiment, a device in a network identifies a new interaction between two or more nodes in the network. The device forms a feature vector using contextual information associated with the new interaction between the two or more nodes. The device causes generation of an anomaly detection model for new node interactions using the feature vector. The device uses the anomaly detection model to determine whether a particular node interaction in the network is anomalous.
    Type: Application
    Filed: May 24, 2016
    Publication date: September 28, 2017
    Inventors: Pierre-André Savalle, Laurent Sartran, Jean-Philippe Vasseur, Grégory Mermoud
  • Publication number: 20170279834
    Abstract: In one embodiment, a device in a network receives feedback regarding an anomaly reporting mechanism used by the device to report network anomalies detected by a plurality of distributed learning agents to a user interface. The device determines an anomaly assessment rate at which a user of the user interface is expected to assess reported anomalies based in part on the feedback. The device receives an anomaly notification regarding a particular anomaly detected by a particular one of the distributed learning agents. The device reports, via the anomaly reporting mechanism, the particular anomaly to the user interface based on the determined anomaly assessment rate.
    Type: Application
    Filed: July 15, 2016
    Publication date: September 28, 2017
    Inventors: Jean-Philippe Vasseur, Grégory Mermoud, Javier Cruz Mota, Laurent Sartran, Sébastien Gay
  • Publication number: 20170279828
    Abstract: In one embodiment, a device in a network maintains a plurality of anomaly detection models for different sets of aggregated traffic data regarding traffic in the network. The device determines a measure of confidence in a particular one of the anomaly detection models that evaluates a particular set of aggregated traffic data. The device dynamically replaces the particular anomaly detection model with a second anomaly detection model configured to evaluate the particular set of aggregated traffic data and has a different model capacity than that of the particular anomaly detection model. The device provides an anomaly event notification to a supervisory controller based on a combined output of the second anomaly detection model and of one or more of the anomaly detection models in the plurality of anomaly detection models.
    Type: Application
    Filed: June 8, 2016
    Publication date: September 28, 2017
    Inventors: Pierre-André Savalle, Grégory Mermoud, Laurent Sartran, Jean-Philippe Vasseur
  • Publication number: 20170279698
    Abstract: In one embodiment, a device in a network determines cluster assignments that assign traffic data regarding traffic in the network to activity level clusters based on one or more measures of traffic activity in the traffic data. The device uses the cluster assignments to predict seasonal activity for a particular subset of the traffic in the network. The device determines an activity level for new traffic data regarding the particular subset of traffic in the network. The device detects a network anomaly by comparing the activity level for the new traffic data to the predicted seasonal activity.
    Type: Application
    Filed: June 21, 2016
    Publication date: September 28, 2017
    Inventors: Laurent Sartran, Pierre-André Savalle, Jean-Philippe Vasseur, Grégory Mermoud, Javier Cruz Mota, Sébastien Gay
  • Publication number: 20160219070
    Abstract: In one embodiment, a device in a network receives traffic metrics for a plurality of applications in the network. The device populates a feature space for a machine learning-based anomaly detector. The device identifies a missing dataset in the feature space for a particular one of the plurality of applications. The device adjusts how traffic is sent in the network, to capture the missing dataset.
    Type: Application
    Filed: January 7, 2016
    Publication date: July 28, 2016
    Inventors: Jean-Philippe Vasseur, Grégory Mermoud, Laurent Sartran