Abstract: In one embodiment, a device receives observed access point (AP) features of one or more APs in a monitored network. The device clusters the observed AP features within a latent space to form AP feature clusters. The device applies labels to the AP feature clusters within the latent space. The device uses the applied labels to the AP feature clusters to describe future behaviors of the one or more APs in the monitored network.
Type:
Grant
Filed:
June 12, 2017
Date of Patent:
February 9, 2021
Assignee:
Cisco Technology, Inc.
Inventors:
Javier Cruz Mota, Jean-Philippe Vasseur, Pierre-André Savalle, Grégory Mermoud
Abstract: In various embodiments, a device obtains a set of device classification rules. Each device classification rule specifies one or more attributes from a set of attributes and being configured to assign a device type to an endpoint in a network when the endpoint exhibits the one or more attributes specified by that rule. The device forms a graphical representation of the set of attributes. The device performs an analysis of the graphical representation of the set of attributes. The device provides a result of the analysis to a user interface.
Type:
Application
Filed:
April 28, 2020
Publication date:
October 28, 2021
Inventors:
David Tedaldi, Grégory Mermoud, Jürg Nicolaus Diemand, Jean-Philippe Vasseur, Pierre-André Savalle
Abstract: In one embodiment, a device in a network identifies a new interaction between two or more nodes in the network. The device forms a feature vector using contextual information associated with the new interaction between the two or more nodes. The device causes generation of an anomaly detection model for new node interactions using the feature vector. The device uses the anomaly detection model to determine whether a particular node interaction in the network is anomalous.
Abstract: In one embodiment, a device classification service receives telemetry data indicative of behavioral characteristics of a plurality of devices in a network. The service obtains side information for the telemetry data. The service applies metric learning to the telemetry data and side information, to construct a distance function. The service uses the distance function to cluster the telemetry data into device clusters. The service associates a device type label with a particular device cluster.
Abstract: In one embodiment, a device in a network detects an anomaly in the network by analyzing a set of sample data regarding one or more conditions of the network using a behavioral analytics model. The device receives feedback regarding the detected anomaly. The device determines that the anomaly was a true positive based on the received feedback. The device excludes the set of sample data from a training set for the behavioral analytics model, in response to determining that the anomaly was a true positive.
Abstract: In one embodiment, a networking device in a network causes formation of device clusters of devices in the network. The devices in a particular cluster exhibit similar characteristics. The networking device receives feedback from a device identity service regarding the device clusters. The feedback is based in part on the device identity service probing the devices. The networking device adjusts the device clusters based on the feedback from the device identity service. The networking device performs anomaly detection in the network using the adjusted device clusters.
Type:
Application
Filed:
June 13, 2016
Publication date:
September 28, 2017
Inventors:
Jean-Philippe Vasseur, Grégory Mermoud, Pierre-André Savalle, Andrea Di Pietro, Sukrit Dasgupta
Abstract: In one embodiment, a service divides one or more time series for a network key performance (KPI) into a plurality of time series chunks. The service clusters the plurality of time series chunks into a plurality of clusters. The service identifies a sketch that represents a particular one of the clusters. The service associates a label with the identified sketch. The service applies the label to a new KPI time series by matching the sketch to the new KPI time series.
Abstract: In one embodiment, a device receives observed access point (AP) features of one or more APs in a monitored network. The device clusters the observed AP features within a latent space to form AP feature clusters. The device applies labels to the AP feature clusters within the latent space. The device uses the applied labels to the AP feature clusters to describe future behaviors of the one or more APs in the monitored network.
Type:
Grant
Filed:
January 20, 2021
Date of Patent:
December 26, 2023
Assignee:
Cisco Technology, Inc.
Inventors:
Javier Cruz Mota, Jean-Philippe Vasseur, Pierre-André Savalle, Grégory Mermoud
Abstract: In one embodiment, a device in a network receives traffic records indicative of network traffic between different sets of host address pairs. The device identifies one or more address grouping constraints for the sets of host address pairs. The device determines address groups for the host addresses in the sets of host address pairs based on the one or more address grouping constraints. The device provides an indication of the address groups to an anomaly detector.
Abstract: In various embodiments, a device classification service clusters devices in a network into a device type cluster based on attributes associated with the devices. The device classification service tracks changes to the device type cluster over time. The device classification service detects an attack on the device classification service by one or more of the devices based on the tracked changes to the device type cluster. The device classification service initiates a mitigation action for the detected attack on the device classification service.
Type:
Grant
Filed:
March 19, 2020
Date of Patent:
March 22, 2022
Assignee:
Cisco Technology, Inc.
Inventors:
Jean-Philippe Vasseur, Grégory Mermoud, Pierre-André Savalle, David Tedaldi
Abstract: In various embodiments, a device classification service obtains traffic telemetry data for a plurality of devices in a network. The service applies clustering to the traffic telemetry data, to form device clusters. The service generates a device classification rule based on a particular one of the device clusters. The service receives feedback from a user interface regarding the device classification rule. The service adjusts the device classification rule based on the received feedback.
Type:
Grant
Filed:
July 2, 2019
Date of Patent:
February 9, 2021
Assignee:
Cisco Technology, Inc.
Inventors:
David Tedaldi, Grégory Mermoud, Pierre-Andre Savalle, Jean-Philippe Vasseur
Abstract: In one embodiment, a device uses a classification model to determine whether implementation of a routing change suggested by a predictive routing engine for a network will result in a violation of one or more network policies. The device computes a trust score, based on performance metrics for the classification model. The device causes, based in part on the trust score, implementation of the routing change in the network, when the classification model determines that application of the routing change will not result in a violation of the one or more network policies.
Abstract: In various embodiments, a device classification service obtains device telemetry data indicative of declarative attributes of a device in a network and indicative of behavioral attributes of that device. The device classification service labels the device with a device type, based on the device telemetry data. The device classification service detects device type spoofing exhibited by the device using a model that models a relationship between the declarative attributes and the behavioral attributes. The device classification service initiates, based on the device type spoofing, a mitigation action regarding the device.
Type:
Application
Filed:
April 17, 2020
Publication date:
October 21, 2021
Inventors:
Jean-Philippe Vasseur, Pierre-André Savalle, Grégory Mermoud, David Tedaldi
Abstract: In various embodiments, a device classification service obtains traffic telemetry data for a plurality of devices in a network. The service applies clustering to the traffic telemetry data, to form device clusters. The service generates a device classification rule based on a particular one of the device clusters. The service receives feedback from a user interface regarding the device classification rule. The service adjusts the device classification rule based on the received feedback.
Type:
Grant
Filed:
October 29, 2021
Date of Patent:
October 25, 2022
Assignee:
Cisco Technology, Inc.
Inventors:
David Tedaldi, Grégory Mermoud, Pierre-André Savalle, Jean-Philippe Vasseur
Abstract: In various embodiments, a device classification service obtains traffic telemetry data for a plurality of devices in a network. The service applies clustering to the traffic telemetry data, to form device clusters. The service generates a device classification rule based on a particular one of the device clusters. The service receives feedback from a user interface regarding the device classification rule. The service adjusts the device classification rule based on the received feedback.
Type:
Grant
Filed:
January 6, 2021
Date of Patent:
December 7, 2021
Assignee:
Cisco Technology, Inc.
Inventors:
David Tedaldi, Grégory Mermoud, Pierre-Andre Savalle, Jean-Philippe Vasseur
Abstract: In one embodiment, a service computes a data fidelity metric for network telemetry data used by a machine learning model to monitor a computer network. The service detects unacceptable performance of the machine learning model. The service determines a correlation between the data fidelity metric and the unacceptable performance of the machine learning model. The service adjusts generation of the network telemetry data for input to the machine learning model, based on the determined correlation between the data fidelity metric and the unacceptable performance of the machine learning model.
Type:
Application
Filed:
November 22, 2019
Publication date:
May 27, 2021
Inventors:
Jean-Philippe Vasseur, Vinay Kumar Kolar, Andrea Di Pietro, Grégory Mermoud, Pierre-Andre Savalle
Abstract: In one embodiment, a device in a network receives an indication of a connection between an endpoint node in the network and a conferencing service. The device retrieves network data associated with the indicated connection between the endpoint node and the conferencing service. The device uses a machine learning model to predict an experience metric for the endpoint node based on the network data associated with the indicated connection between the endpoint node and the conferencing service. The device causes the endpoint node to use a different connection to the conferencing service based on the predicted experience metric.
Type:
Application
Filed:
January 13, 2017
Publication date:
July 19, 2018
Inventors:
Jean-Philippe Vasseur, Grégory Mermoud, Pierre-André Savalle, Javier Cruz Mota
Abstract: In one embodiment, a device classification service receives a plurality of device classification rulesets, each ruleset associating a set of device characteristics with a device type label. The device classification service forms a unified ruleset by resolving a conflict between conflicting device characteristics from two or more of the device classification rulesets. The device classification service trains a machine learning-based device classifier using the unified ruleset. The device classification service classifies, using telemetry data for a device in a network as input to the trained device classifier, the device with the device type label.
Abstract: In one embodiment, a device in a network receives traffic records indicative of network traffic between different sets of host address pairs. The device identifies one or more address grouping constraints for the sets of host address pairs. The device determines address groups for the host addresses in the sets of host address pairs based on the one or more address grouping constraints. The device provides an indication of the address groups to an anomaly detector.
Abstract: In one embodiment, a device receives application experience metrics for a software-as-a-service application. The device generates, based on the application experience metrics, a predictive model that predicts application experience scores for a plurality of network service providers that provide connectivity to the software-as-a-service application. The device selects a particular network service provider for use by a location, based on an application experience score predicted by the predictive model. The device sends an indication of the particular network service provider to the location.