Abstract: In one embodiment, techniques are shown and described relating to dynamically adjusting a set of monitored network properties using distributed learning machine feedback. In particular, in one embodiment, a learning machine (or distributed learning machines) determines a plurality of monitored network properties in a computer network. From this, a subset of relevant network properties of the plurality of network properties may be determined, such that a corresponding subset of irrelevant network properties based on the subset of relevant network properties may also be determined. Accordingly, the computer network may be informed of the irrelevant network properties to reduce a rate of monitoring the irrelevant network properties.

Abstract: In one embodiment, a device in a network receives a switchover policy for a particular type of traffic in the network. The device determines a predicted effect of directing a traffic flow of the particular type of traffic from a first path in the network to a second path in the network. The device determines whether the predicted effect of directing the traffic flow to the second path would violate the switchover policy. The device causes the traffic flow to be routed via the second path in the network, based on a determination that the predicted effect of directing the traffic flow to the second path would not violate the switchover policy for the particular type of traffic.

Abstract: In one embodiment, a management system determines respective capability information of machine learning systems, the capability information including at least an action the respective machine learning system is configured to perform. The management system receives, for each of the machine learning systems, respective performance scoring information associated with the respective action, and computes a degree of freedom for each machine learning system to perform the respective action based on the performance scoring information. Accordingly, the management system then specifies the respective degree of freedom to the machine learning systems. In one embodiment, the management system comprises a management device that computes a respective trust level for the machine learning systems based on receiving the respective performance scoring feedback, and a policy engine that computes the degree of freedom based on receiving the trust level.

Abstract: In one embodiment, a device in a network analyzes data indicative of a behavior of a network using a supervised anomaly detection model. The device determines whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data. The device trains an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervised anomaly detection model.

Abstract: In one embodiment, a network device routes traffic along a network path and receives a performance threshold crossing alert regarding performance of the network path. The network device detects that the performance threshold crossing alert is part of a potential network attack by analyzing, by the device, the performance threshold crossing alert. The network device also provides a notification of the detected network attack.

Abstract: In one embodiment, a device in a network monitors one or more metrics regarding network traffic associated with a particular application. The device detects an application-centric anomaly based on the monitored one or more metrics. The device causes an anomaly mitigation action to be performed in the network, in response to detecting the application-centric anomaly.

Abstract: In one embodiment, a time period is identified in which probe packets are to be sent along a path in a network based on predicted user traffic along the path. The probe packets are then sent during the identified time period along the path. Conditions of the network path are monitored during the time period. The rate at which the packets are sent during the time period is dynamically adjusted based on the monitored conditions. Results of the monitored conditions are collected, to determine an available bandwidth limit along the path.

Abstract: In one embodiment, a first device in a network receives traffic flow data from a plurality of devices in the network. The traffic flow data from at least one of the plurality of devices comprises raw packets of a traffic flow. The first device selects a set of reporting devices from among the plurality of devices based on the received traffic flow data. The first device provides traffic flow reporting instructions to the selected set of reporting devices. The traffic flow reporting instructions cause each reporting device to provide sampled traffic flow data to an anomaly detection device.

Abstract: In one embodiment, a device in a network monitors performance data for a first predictive model. The first predictive model is used to make proactive decisions in the network. The device maintains a supervisory model based on the monitored performance data for the first predictive model. The device identifies a time period during which the supervisory model predicts that the first predictive model will perform poorly. The device causes a switchover from the first predictive model to a second predictive model at a point in time associated with the time period, in response to identifying the time period.

Abstract: In one embodiment, a capable node in a low power and lossy network (LLN) may monitor the authentication time for one or more nodes in the LLN. The capable node may dynamically correlate the authentication time with the location of the one or more nodes in the LLN in order to identify one or more authentication-delayed nodes. The node may then select, based on the location of the one or more authentication-delayed nodes, one or more key-delegation nodes to receive one or more network keys so that the key-delegation nodes may perform localized authentication of one or more of the authentication-delayed nodes. The capable node may then distribute the one or more network keys to the one or more key-delegation nodes.

Abstract: In one embodiment, a first device in a network identifies a first traffic flow between two endpoints that traverses the first device in a first direction. The first device receives information from a second device in the network regarding a second traffic flow between the two endpoints that traverses the second device in a second direction that is opposite that of the first direction. The first device merges characteristics of the first traffic flow captured by the first device with characteristics of the second traffic flow captured by the second device and included in the information received from the second device, to form an input feature set. The first device detects an anomaly in the network by analyzing the input feature set using a machine learning-based anomaly detector.

Abstract: In one embodiment, a networking device in a network causes formation of device clusters of devices in the network. The devices in a particular cluster exhibit similar characteristics. The networking device receives feedback from a device identity service regarding the device clusters. The feedback is based in part on the device identity service probing the devices. The networking device adjusts the device clusters based on the feedback from the device identity service. The networking device performs anomaly detection in the network using the adjusted device clusters.

Abstract: In one embodiment, a device in a network performs anomaly detection functions using a machine learning-based anomaly detector to detect anomalous traffic in the network. The device identifies an ability of one or more nodes in the network to perform at least one of the anomaly detection functions. The device selects a particular one of the anomaly detection functions to offload to a particular one of the nodes, based on the ability of the particular node to perform the particular anomaly detection function. The device instructs the particular node to perform the selected anomaly detection function.

Abstract: In one embodiment, a device in a network receives anomaly data regarding an anomaly detected by a machine learning-based anomaly detection mechanism of a first node in the network. The device matches the anomaly data to threat intelligence feed data from one or more threat intelligence services. The device determines whether to provide threat intelligence feedback to the first node based on the matched threat intelligence feed data and one or more policy rules. The device provides threat intelligence feedback to the first node regarding the matched threat intelligence feed data, in response to determining that the device should provide threat intelligence feedback to the first node.

Abstract: In one embodiment, a node in a network detects an anomaly in the network based on a result of a machine learning-based anomaly detector analyzing network traffic. The node determines a packet capture policy for the anomaly by applying a machine learning-based classifier to the result of the anomaly detector. The node selects a set of packets from the analyzed traffic based on the packet capture policy. The node stores the selected set of packets for the detected anomaly.

Abstract: In one embodiment, a primary networking device in a branch network receives a notification of an anomaly detected by a secondary networking device in the branch network. The primary networking device is located at an edge of the network. The primary networking device aggregates the anomaly detected by the secondary networking device and a second anomaly detected in the network into an aggregated anomaly. The primary networking device associates the aggregated anomaly with a location of the secondary networking device in the branch network. The primary networking device reports the aggregated anomaly and the associated location of the secondary networking device to a supervisory device.

Abstract: In one embodiment, a device in a network identifies a universal resource locator (URL) from traffic destined for the URL that triggered a first anomaly detected by an anomaly detector. The device reports the first anomaly and the identified URL to a supervisory device in the network. The device receives a URL filter rule for the URL. The URL filter rule is configured to affect anomaly scores generated by the anomaly detector for traffic destined for the URL or a domain associated with the URL. The device uses the URL filter rule to adjust an anomaly score for a second anomaly detected by the anomaly detector based on the second anomaly involving traffic destined for the URL or the domain associated with the URL.

Abstract: In one embodiment, network metrics are collected and analyzed in a network having nodes interconnected by communication links. Then, it is predicted whether a network element failure is relatively likely to occur based on the collected and analyzed network metrics. In response to predicting that a network element failure is relatively likely to occur, traffic in the network is rerouted in order to avoid the network element failure before it is likely to occur.

Abstract: In one embodiment, network traffic data is received regarding traffic flowing through one or more routers in a network. A future traffic profile through the one or more routers is predicted by modeling the network traffic data. Network condition data for the network is received and future network performance is predicted by modeling the network condition data. A behavior of the network is adjusted based on the predicted future traffic profile and on the predicted network performance.

Abstract: In one embodiment, a learning data processor determines a plurality of machine learning features in a computer network to collect. Upon receiving data corresponding to the plurality of features, the learning data processor may aggregate the data, and pushes the aggregated data for select features to interested learning machines associated with the computer network.