Abstract: In one embodiment, a service tracks performance of a machine learning model over time. The machine learning model is used to monitor one or more computer networks based on data collected from the one or more computer networks. The service also tracks performance metrics associated with training of the machine learning model. The service determines that a degradation of the performance of the machine learning model is anomalous, based on the tracked performance of the machine learning model and performance metrics associated with training of the model. The service initiates a corrective measure for the degradation of the performance, in response to determining that the degradation of the performance is anomalous.

Abstract: In one embodiment, a device classification service forms a device cluster by applying clustering to telemetry data associated with a plurality of devices. The service obtains device type labels for the device cluster. The service generates a device type classification rule using the device type labels and the telemetry data. The service determines whether the device type classification rule should be revalidated by applying a revalidation policy to the device type classification rule. The service revalidates the device type classification rule, based on a determination that the device type classification rule should be revalidated.

Abstract: In one embodiment, a service receives a plurality of device type classification rules, each rule comprising a device type label and one or more device attributes used as criteria for application of the label to a device in a network. The service estimates, across a space of the device attributes, device densities of devices having device attributes at different points in that space. The service uses the estimated device densities to identify two or more of the device type classification rules as having overlapping device attributes. The service determines that the two or more device type classification rules are in conflict, based on the two or more rules having different device type labels. The service generates a rule conflict resolution that comprises one of the device type labels from the conflicting two or more device type classification rules.

Abstract: In one embodiment, a device obtains characteristics of a first anomaly detection model executed by a first distributed learning agent in a network. The device receives a query from a second distributed learning agent in the network that requests identification of a similar anomaly detection to that of a second anomaly detection model executed by the second distributed learning agent. The device identifies, after receiving the query from the second distributed learning agent, the first anomaly detection model as being similar to that of the second anomaly detection model, based on the characteristics of the first anomaly detection model. The device causes the first anomaly detection model to be sent to the second distributed learning agent for execution.

Abstract: In various embodiments, a device classification service clusters devices in a network into a device type cluster based on attributes associated with the devices. The device classification service tracks changes to the device type cluster over time. The device classification service detects an attack on the device classification service by one or more of the devices based on the tracked changes to the device type cluster. The device classification service initiates a mitigation action for the detected attack on the device classification service.

Abstract: In one embodiment, a networking device at an edge of a network generates a first set of feature vectors using information regarding one or more characteristics of host devices in the network. The networking device forms the host devices into device clusters dynamically based on the first set of feature vectors. The networking device generates a second set of feature vectors using information regarding traffic associated with the device clusters. The networking device models interactions between the device clusters using a plurality of anomaly detection models that are based on the second set of feature vectors.

Abstract: In one embodiment, a service detects that an event of a particular event type has occurred in a software-defined wide area network (SD-WAN). The service activates, in response to detecting the occurrence of the event, a machine learning model to assess telemetry data regarding a first tunnel in the SD-WAN. The service predicts a failure of the first tunnel, based on the assessment of the telemetry data regarding the first tunnel by the machine learning model. The service proactively reroutes at least a subset of traffic on the first tunnel onto a second tunnel in the SD-WAN, in advance of the predicted failure of the first tunnel.

Abstract: In one embodiment, a device classification service receives a plurality of device classification rulesets, each ruleset associating a set of device characteristics with a device type label. The device classification service forms a unified ruleset by resolving a conflict between conflicting device characteristics from two or more of the device classification rulesets. The device classification service trains a machine learning-based device classifier using the unified ruleset. The device classification service classifies, using telemetry data for a device in a network as input to the trained device classifier, the device with the device type label.

Abstract: In one embodiment, a network assurance service maintains a first set of telemetry data from the network anonymized using a first key regarding a plurality of network entities in a monitored network. The service receives a key rotation notification indicative of a key changeover from the first key to a second key for anonymization of a second set of telemetry data from the network. The service forms, during a key rotation time period associated with the key changeover, a mapped dataset by converting anonymized tokens in the second set of telemetry data into anonymized tokens in the first set of telemetry data. The service augments, during the key rotation time period, the first set of telemetry data with the mapped dataset. The service assesses, during the time period, performance of the network by applying a machine learning-based model to the first set of telemetry data augmented with the mapped dataset.

Abstract: In various embodiments, a device classification service obtains traffic telemetry data for a plurality of devices in a network. The service applies clustering to the traffic telemetry data, to form device clusters. The service generates a device classification rule based on a particular one of the device clusters. The service receives feedback from a user interface regarding the device classification rule. The service adjusts the device classification rule based on the received feedback.

Abstract: In various embodiments, a device classification service makes a determination that an endpoint device in a network is eligible for expedited device classification based on a policy. The device classification service obtains, after making the determination that the endpoint device in the network is eligible for expedited device classification, telemetry data regarding the endpoint device generated by actively probing the endpoint device. The device classification service determines whether the telemetry data regarding the endpoint device matches any existing device classification rules. The device classification service generates, based on the telemetry data, a device classification rule that assigns a device type to the endpoint device, when the telemetry data does not match any existing device classification rules.

Abstract: In one embodiment, a network assurance service that monitors one or more networks identifies changes in a key performance indicator for each of a plurality of network entities in the one or more networks. The service forms a peer group of network entities from the plurality of network entities whose changes in the key performance indicator are correlated. The service monitors the key performance indicator for network entities in the peer group of network entities. The service, based on the monitoring, detects an anomalous change in the key performance indicator for a particular network entity in the peer group of network entities relative to other network entities in the peer group of network entities.

Abstract: In one embodiment, a device deploys a first machine learning model to an inference location in a network. The first machine learning model is used at the inference location to make inferences about the network. The device receives, from the inference location, an indication that the first machine learning model is exhibiting poor performance. The device identifies a corrective measure for the poor performance that minimizes resource consumption by a model training pipeline of the device. The device deploys, based on the corrective measure, a second machine learning model to the inference location. The second machine learning model is used in lieu of the first machine learning model to make the inferences about the network.

Abstract: In various embodiments, a device obtains a set of device classification rules. Each device classification rule specifies one or more attributes from a set of attributes and being configured to assign a device type to an endpoint in a network when the endpoint exhibits the one or more attributes specified by that rule. The device forms a graphical representation of the set of attributes. The device performs an analysis of the graphical representation of the set of attributes. The device provides a result of the analysis to a user interface.

Abstract: In various embodiments, a device classification service obtains device telemetry data indicative of declarative attributes of a device in a network and indicative of behavioral attributes of that device. The device classification service labels the device with a device type, based on the device telemetry data. The device classification service detects device type spoofing exhibited by the device using a model that models a relationship between the declarative attributes and the behavioral attributes. The device classification service initiates, based on the device type spoofing, a mitigation action regarding the device.

Abstract: In various embodiments, a device classification service uses an initial device classification rule to label each of a set of endpoint devices in a network as being of a particular device type. The device classification service identifies a particular attribute exhibited by at least a portion of the set of endpoint devices and was not previously used to generate the initial device classification rule. The device classification service generates one or more new device classification rules based in part on the particular attribute. The device classification service switches from using the initial device classification rule to label endpoint devices in the network to using the one or more new device classification rules to label endpoint devices in the network.

Abstract: In one embodiment, a device in a network obtains data indicative of a device classification rule, a device type label associated with the rule, and a set of positive and negative feature vectors used to create the rule. The device replaces similar feature vectors in the set of positive and negative feature vectors with a single feature vector, to form a reduced set of feature vectors. The device applies differential privacy to the reduced set of feature vectors. The device sends a digest to a cloud service. The digest comprises the device classification rule, the device type label, and the reduced set of feature vectors to which differential privacy was applied. The service uses the digest to train a machine learning-based device classifier.

Abstract: In one embodiment, a device classification service that uses a machine learning-based device type classifier to classify endpoint devices with device types, identifies a set of device types having similar associated traffic telemetry features. The service obtains, via one or more user interfaces, feedback indicative of whether the device type classifier misclassifying an endpoint device having a particular device type in the set with another device type in the set would be a critical misclassification. The service trains, using the obtained feedback, a prediction model to predict an impact of misclassifying the particular device type as one of the other device types in the set of device types. The service also retrains the machine learning-based device type classifier based on a prediction from the prediction model.

Abstract: In one embodiment, a device constructs a set of controlled what-if input parameters for evaluating a what-if scenario in a network. The device uses the set of controlled what-if input parameters and state data indicative of a current state of the network as input to a network state model. The network state model predicts values for the state data conditioned on the what-if input parameters. The device predicts a key performance indicator (KPI) in the network by using the predicted values for the state data from the network state model as input to a machine learning-based KPI prediction model. The device initiates a routing change in the network based in part on the predicted KPI.

Abstract: In one embodiment, a device in a network receives traffic records indicative of network traffic between different sets of host address pairs. The device identifies one or more address grouping constraints for the sets of host address pairs. The device determines address groups for the host addresses in the sets of host address pairs based on the one or more address grouping constraints. The device provides an indication of the address groups to an anomaly detector.