Abstract: In one embodiment, a device receives data regarding usage of access points in a network by a plurality of clients in the network. The device maintains an access point graph that represents the access points in the network as vertices of the access point graph. The device generates, for each of the plurality of clients, client trajectories as trajectory subgraphs of the access point graph. A particular client trajectory for a particular client comprises a set of edges between a subset of the vertices of the access point graph and represents transitions between access points in the network performed by the particular client. The device identifies a transition pattern from the client trajectories by deconstructing the trajectory subgraphs. The device uses the identified transition pattern to effect a configuration change in the network.

Abstract: In one embodiment, a labeling service receives traffic feature data for a cluster of endpoint devices in a network. A device classification service forms the cluster of endpoint devices by applying machine learning-based clustering to the feature data. The labeling service selects a subset of the endpoint devices in the cluster, in an effort to maximize diversity of the traffic feature data of the selected endpoint devices. The labeling service sends a control command into the network, to trigger a traffic behavior by the selected subset. The labeling service receives updated traffic feature data for the selected subset associated with the triggered traffic behavior. The labeling service controls whether a label request is sent to a user interface for labeling of the cluster of endpoint devices with a device type, based on the updated traffic feature data for the subset of endpoint devices in the cluster.

Abstract: In one embodiment, a device in a network maintains a plurality of anomaly detection models for different sets of aggregated traffic data regarding traffic in the network. The device determines a measure of confidence in a particular one of the anomaly detection models that evaluates a particular set of aggregated traffic data. The device dynamically replaces the particular anomaly detection model with a second anomaly detection model configured to evaluate the particular set of aggregated traffic data and has a different model capacity than that of the particular anomaly detection model. The device provides an anomaly event notification to a supervisory controller based on a combined output of the second anomaly detection model and of one or more of the anomaly detection models in the plurality of anomaly detection models.

Abstract: In one embodiment, a labeling service receives telemetry data for a cluster of endpoint devices in a first network environment. The endpoint devices in the cluster are clustered by a device classification service based on their telemetry data and labeled by a device type classifier of the device classification service as being of an unknown device type. The labeling service obtains a first device type label for the cluster of endpoint devices via a first user interface. The labeling service identifies one or more other network environments in which endpoint devices are located that have similar telemetry data as that of the cluster of endpoint devices. The labeling service obtains device type labels for the cluster of endpoint devices via a selected set of user interfaces from the identified one or more other network environments.

Abstract: In one embodiment, a device classification service receives data indicative of network traffic policies assigned to a plurality of device types. The device classification service associates measures of policy restrictiveness with the device types, based on the received data indicative of the network traffic policies assigned to the plurality of device types. The device classification service determines misclassification costs associated with a machine learning-based device type classifier of the service misclassifying an endpoint device of one of the plurality device types with another of the plurality of device types, based on their associated measures of policy restrictiveness. The device classification service adjusts the machine learning-based device type classifier to account for the determined misclassification costs.

Abstract: In one embodiment, a labeling service receives traffic feature data for a cluster of endpoint devices in a network. A device classification service forms the cluster of endpoint devices by applying machine learning-based clustering to the feature data. The labeling service selects a subset of the endpoint devices in the cluster, in an effort to maximize diversity of the traffic feature data of the selected endpoint devices. The labeling service sends a control command into the network, to trigger a traffic behavior by the selected subset. The labeling service receives updated traffic feature data for the selected subset associated with the triggered traffic behavior. The labeling service controls whether a label request is sent to a user interface for labeling of the cluster of endpoint devices with a device type, based on the updated traffic feature data for the subset of endpoint devices in the cluster.

Abstract: In one embodiment, a device clusters traffic feature vectors for a plurality of endpoints in a network into a set of clusters. Each traffic feature vector comprises traffic telemetry data captured for one of the endpoints. The device selects one of the clusters for labeling, based in part on contextual data associated with the clusters that was not used to form the clusters. The device obtains a device type label for the selected cluster by providing data regarding the selected cluster and the contextual data associated with that cluster to a user interface. The device provides the device type label and the traffic feature vectors associated with the selected cluster for training a machine learning-based device type classifier.

Abstract: In one embodiment, a device in a network determines cluster assignments that assign traffic data regarding traffic in the network to activity level clusters based on one or more measures of traffic activity in the traffic data. The device uses the cluster assignments to predict seasonal activity for a particular subset of the traffic in the network. The device determines an activity level for new traffic data regarding the particular subset of traffic in the network. The device detects a network anomaly by comparing the activity level for the new traffic data to the predicted seasonal activity.

Abstract: In one embodiment, a network assurance service maintains a first set of telemetry data from the network anonymized using a first key regarding a plurality of network entities in a monitored network. The service receives a key rotation notification indicative of a key changeover from the first key to a second key for anonymization of a second set of telemetry data from the network. The service forms, during a key rotation time period associated with the key changeover, a mapped dataset by converting anonymized tokens in the second set of telemetry data into anonymized tokens in the first set of telemetry data. The service augments, during the key rotation time period, the first set of telemetry data with the mapped dataset. The service assesses, during the time period, performance of the network by applying a machine learning-based model to the first set of telemetry data augmented with the mapped dataset.

Abstract: In one embodiment, a device classification service that uses a machine learning-based device type classifier to classify endpoint devices with device types, identifies a set of device types having similar associated traffic telemetry features. The service obtains, via one or more user interfaces, feedback indicative of whether the device type classifier misclassifying an endpoint device having a particular device type in the set with another device type in the set would be a critical misclassification. The service trains, using the obtained feedback, a prediction model to predict an impact of misclassifying the particular device type as one of the other device types in the set of device types. The service also retrains the machine learning-based device type classifier based on a prediction from the prediction model.

Abstract: In one embodiment, a device classification service receives a plurality of device classification rulesets, each ruleset associating a set of device characteristics with a device type label. The device classification service forms a unified ruleset by resolving a conflict between conflicting device characteristics from two or more of the device classification rulesets. The device classification service trains a machine learning-based device classifier using the unified ruleset. The device classification service classifies, using telemetry data for a device in a network as input to the trained device classifier, the device with the device type label.

Abstract: In one embodiment, a device classification service assigns a set of endpoint devices to a context group. The device classification service forms a context summary feature vector for the context group that summarizes telemetry feature vectors for the endpoint devices assigned to the context group. Each telemetry feature vector is indicative of a plurality of traffic features observed for the endpoint devices. The device classification service normalizes a telemetry feature vector for a particular endpoint device using the context summary feature vector. The device classification service classifies, using the normalized telemetry feature vector for the particular endpoint device as input to a device type classifier, the particular endpoint device as being of a particular device type.

Abstract: In one embodiment, a device receives traffic telemetry data captured by a plurality of networks and used by device classification services in the networks to classify endpoints in the networks with device types. The device compares the telemetry data from a particular one of the networks to the telemetry data from the other networks to identify one or more traffic characteristics that are missing from the telemetry data for one or more endpoints of the particular network. The device identifies a networking entity in the particular network that is common to the one or more endpoints for which the one or more characteristics are missing. The device determines a configuration change for the networking entity by comparing a current configuration of the entity to those of one or more entities in the other networks. The device initiates implementation of the determined configuration change for the entity in the particular network.

Abstract: In one embodiment, a label stability analyzer service receives classification data indicative of device type labels assigned to endpoints in a network by a device classification service. The label stability analyzer service counts device type label changes made by the device classification service to the endpoints. The label stability analyzer service computes variability metrics for the device type labels, wherein the variability metric for a device type label is based on a count of the device type label changes associated with that label. The label stability analyzer service determines, based on one of the variability metrics for a particular one of the device type labels exceeding a threshold value, a configuration change for the device classification service that adjusts how the device classification service applies the particular label to endpoints. The label stability analyzer service provides the configuration change to the device classification service.

Abstract: In one embodiment, a network element in a network maintains a probabilistic data structure indicative of devices in the network for which telemetry data is not to be sent to a device classification service. The network element detects a traffic flow sent from a source device to a destination device. The network element determines whether the probabilistic data structure includes entries for both the source and destination devices of the traffic flow. The network element sends flow telemetry data regarding the traffic flow to the device classification service, based on a determination that the probabilistic data structure does not include entries for both the source and destination of the traffic flow.

Abstract: In one embodiment, a device classification service extracts, for each of a plurality of time windows, one or more sets of traffic features of network traffic in a network from traffic telemetry data captured by the network. The service represents, for the time windows, the extracted one or more sets of traffic features as feature vectors. A feature vector for a time window indicates whether each of the traffic features was present in the network traffic during that window. The service trains, using a training dataset based on the feature vectors, a cascade of machine learning classifiers to label devices with device types. The service uses the classifiers to label a particular device in the network with a device type based on the traffic features of network traffic associated with that device. The service initiates enforcement of a network policy regarding the device based on its device type.

Abstract: In one embodiment, a device in a network receives a notification of a particular anomaly detected by a distributed learning agent in the network that executes a machine learning-based anomaly detector to analyze traffic in the network. The device computes one or more distance scores between the particular anomaly and one or more previously detected anomalies. The device also computes one or more relevance scores for the one or more previously detected anomalies. The device determines a reporting score for the particular anomaly based on the one or more distance scores and on the one or more relevance scores. The device reports the particular anomaly to a user interface based on the determined reporting score.

Abstract: In one embodiment, a service identifies a performance issue exhibited by a first device in a first network. The service forms a set of one or more time series of one or more characteristics of the first device associated with the identified performance issue. The service generates a mapping between the set of one or more time series of one or more characteristics of the first device to one or more time series of one or more characteristics of a second device in a second network. The mapping comprises a relevancy score that quantifies a degree of similarity between the characteristics of the first and second devices. The service determines a likelihood of the second device exhibiting the performance issue based on the generated mapping and on the relevancy score. The service provides an indication of the determined likelihood to a user interface associated with the second network.

Abstract: In one embodiment, a device in a network receives traffic records indicative of network traffic between different sets of host address pairs. The device identifies one or more address grouping constraints for the sets of host address pairs. The device determines address groups for the host addresses in the sets of host address pairs based on the one or more address grouping constraints. The device provides an indication of the address groups to an anomaly detector.

Abstract: In one embodiment, a networking device at an edge of a network generates a first set of feature vectors using information regarding one or more characteristics of host devices in the network. The networking device forms the host devices into device clusters dynamically based on the first set of feature vectors. The networking device generates a second set of feature vectors using information regarding traffic associated with the device clusters. The networking device models interactions between the device clusters using a plurality of anomaly detection models that are based on the second set of feature vectors.