Abstract: In one embodiment, a network element in a network maintains a probabilistic data structure indicative of devices in the network for which telemetry data is not to be sent to a device classification service. The network element detects a traffic flow sent from a source device to a destination device. The network element determines whether the probabilistic data structure includes entries for both the source and destination devices of the traffic flow. The network element sends flow telemetry data regarding the traffic flow to the device classification service, based on a determination that the probabilistic data structure does not include entries for both the source and destination of the traffic flow.

Abstract: In one embodiment, a device classification service classifies a device in a network as being of a first device type. The service applies a first network policy that has an associated expiration timer to the device, based on its classification as being of the first device type. The service determines whether the device was reclassified as being of a different device type than that of the first device type before expiration of the expiration timer associated with the first network policy. The service applies a second network policy to the device, when the service determines that the device has not been reclassified as being of a different device type before expiration of the expiration timer associated with the first network policy.

Abstract: In one embodiment, a device identifies a new traffic flow in a network. The device determines a service level agreement (SLA) associated with the new traffic flow. The device uses a machine learning model to predict whether a particular tunnel in the network can satisfy the determined SLA of the traffic were the traffic flow routed onto the tunnel. The device performs call admission control to route the new traffic flow onto the particular tunnel, based on a prediction that the tunnel can satisfy the determined SLA of the traffic.

Abstract: In one embodiment, a device receives observed access point (AP) features of one or more APs in a monitored network. The device clusters the observed AP features within a latent space to form AP feature clusters. The device applies labels to the AP feature clusters within the latent space. The device uses the applied labels to the AP feature clusters to describe future behaviors of the one or more APs in the monitored network.

Abstract: In various embodiments, a device classification service obtains traffic telemetry data for a plurality of devices in a network. The service applies clustering to the traffic telemetry data, to form device clusters. The service generates a device classification rule based on a particular one of the device clusters. The service receives feedback from a user interface regarding the device classification rule. The service adjusts the device classification rule based on the received feedback.

Abstract: In various embodiments, a device classification service obtains traffic telemetry data for a plurality of devices in a network. The service applies clustering to the traffic telemetry data, to form device clusters. The service generates a device classification rule based on a particular one of the device clusters. The service receives feedback from a user interface regarding the device classification rule. The service adjusts the device classification rule based on the received feedback.

Abstract: In one embodiment, a device identifies a new traffic flow in a network. The device determines a service level agreement (SLA) associated with the new traffic flow. The device uses a machine learning model to predict whether a particular tunnel in the network can satisfy the determined SLA of the traffic were the traffic flow routed onto the tunnel. The device performs call admission control to route the new traffic flow onto the particular tunnel, based on a prediction that the tunnel can satisfy the determined SLA of the traffic.

Abstract: In one embodiment, a device constructs a set of controlled what-if input parameters for evaluating a what-if scenario in a network. The device uses the set of controlled what-if input parameters and state data indicative of a current state of the network as input to a network state model. The network state model predicts values for the state data conditioned on the what-if input parameters. The device predicts a key performance indicator (KPI) in the network by using the predicted values for the state data from the network state model as input to a machine learning-based KPI prediction model. The device initiates a routing change in the network based in part on the predicted KPI.

Abstract: In one embodiment, a device classification service receives telemetry data indicative of behavioral characteristics of a plurality of devices in a network. The service obtains side information for the telemetry data. The service applies metric learning to the telemetry data and side information, to construct a distance function. The service uses the distance function to cluster the telemetry data into device clusters. The service associates a device type label with a particular device cluster.

Abstract: In one embodiment, a service receives a plurality of device type classification rules, each rule comprising a device type label and one or more device attributes used as criteria for application of the label to a device in a network. The service estimates, across a space of the device attributes, device densities of devices having device attributes at different points in that space. The service uses the estimated device densities to identify two or more of the device type classification rules as having overlapping device attributes. The service determines that the two or more device type classification rules are in conflict, based on the two or more rules having different device type labels. The service generates a rule conflict resolution that comprises one of the device type labels from the conflicting two or more device type classification rules.

Abstract: In one embodiment, a device classification service classifies a device in a network as being of a first device type. The service applies a first network policy that has an associated expiration timer to the device, based on its classification as being of the first device type. The service determines whether the device was reclassified as being of a different device type than that of the first device type before expiration of the expiration timer associated with the first network policy. The service applies a second network policy to the device, when the service determines that the device has not been reclassified as being of a different device type before expiration of the expiration timer associated with the first network policy.

Abstract: In one embodiment, a device in a network obtains data indicative of a device classification rule, a device type label associated with the rule, and a set of positive and negative feature vectors used to create the rule. The device replaces similar feature vectors in the set of positive and negative feature vectors with a single feature vector, to form a reduced set of feature vectors. The device applies differential privacy to the reduced set of feature vectors. The device sends a digest to a cloud service. The digest comprises the device classification rule, the device type label, and the reduced set of feature vectors to which differential privacy was applied. The service uses the digest to train a machine learning-based device classifier.

Abstract: In one embodiment, a device predicts a failure of a first tunnel in a software-defined wide area network (SD-WAN). The device determines that no backup tunnel for the first tunnel exists in the SD-WAN that can satisfy one or more service level agreements (SLAs) of traffic on the first tunnel, were the traffic rerouted from the first tunnel onto that tunnel. The device predicts, using a machine learning model, that a backup tunnel for the first tunnel exists in the SD-WAN that can satisfy an SLA of a subset of the traffic on the first tunnel, in response to determining that no backup tunnel exists in the SD-WAN that can satisfy the one or more SLAs of the traffic on the first tunnel. The device proactively reroutes the subset of the traffic on the first tunnel onto the backup tunnel, in advance of the predicted failure of the first tunnel.

Abstract: In one embodiment, a service in a network computes an expected information gain associated with rerouting traffic from a first tunnel onto a backup tunnel in the network. The service initiates, based on the expected information gain, rerouting of the traffic from the first tunnel onto the backup tunnel. The service obtains performance measurements for the traffic rerouted onto the backup tunnel. The service uses the performance measurements to train a machine learning model to predict whether rerouting traffic from the first tunnel onto the backup tunnel will satisfy a service level agreement (SLA) of the traffic.

Abstract: In one embodiment, a device classification service forms a device cluster by applying clustering to telemetry data associated with a plurality of devices. The service obtains device type labels for the device cluster. The service generates a device type classification rule using the device type labels and the telemetry data. The service determines whether the device type classification rule should be revalidated by applying a revalidation policy to the device type classification rule. The service revalidates the device type classification rule, based on a determination that the device type classification rule should be revalidated.

Abstract: In one embodiment, a device classification service assigns a set of endpoint devices to a context group. The device classification service forms a context summary feature vector for the context group that summarizes telemetry feature vectors for the endpoint devices assigned to the context group. Each telemetry feature vector is indicative of a plurality of traffic features observed for the endpoint devices. The device classification service normalizes a telemetry feature vector for a particular endpoint device using the context summary feature vector. The device classification service classifies, using the normalized telemetry feature vector for the particular endpoint device as input to a device type classifier, the particular endpoint device as being of a particular device type.

Abstract: In one embodiment, a device classification service obtains telemetry data for a plurality of devices in a network. The device classification service repeatedly assigns the devices to device clusters by applying clustering to the obtained telemetry data. The device classification service determines a measure of stability loss associated with the cluster assignments. The measure of stability loss is based in part on whether a device is repeatedly assigned to the same device cluster. The device classification service determines, based on the measure of stability loss, that the cluster assignments have stabilized. The device classification service obtains device type labels for the device clusters, after determining that the cluster assignments have stabilized.

Abstract: In one embodiment, a device receives data regarding usage of access points in a network by a plurality of clients in the network. The device maintains an access point graph that represents the access points in the network as vertices of the access point graph. The device generates, for each of the plurality of clients, client trajectories as trajectory subgraphs of the access point graph. A particular client trajectory for a particular client comprises a set of edges between a subset of the vertices of the access point graph and represents transitions between access points in the network performed by the particular client. The device identifies a transition pattern from the client trajectories by deconstructing the trajectory subgraphs. The device uses the identified transition pattern to effect a configuration change in the network.

Abstract: In one embodiment, a device obtains characteristics of a first anomaly detection model executed by a first distributed learning agent in a network. The device receives a query from a second distributed learning agent in the network that requests identification of a similar anomaly detection to that of a second anomaly detection model executed by the second distributed learning agent. The device identifies, after receiving the query from the second distributed learning agent, the first anomaly detection model as being similar to that of the second anomaly detection model, based on the characteristics of the first anomaly detection model. The device causes the first anomaly detection model to be sent to the second distributed learning agent for execution.

Abstract: In one embodiment, a device receives traffic telemetry data captured by a plurality of networks and used by device classification services in the networks to classify endpoints in the networks with device types. The device compares the telemetry data from a particular one of the networks to the telemetry data from the other networks to identify one or more traffic characteristics that are missing from the telemetry data for one or more endpoints of the particular network. The device identifies a networking entity in the particular network that is common to the one or more endpoints for which the one or more characteristics are missing. The device determines a configuration change for the networking entity by comparing a current configuration of the entity to those of one or more entities in the other networks. The device initiates implementation of the determined configuration change for the entity in the particular network.