Abstract: In one embodiment, a network element in a network maintains a probabilistic data structure indicative of devices in the network for which telemetry data is not to be sent to a device classification service. The network element detects a traffic flow sent from a source device to a destination device. The network element determines whether the probabilistic data structure includes entries for both the source and destination devices of the traffic flow. The network element sends flow telemetry data regarding the traffic flow to the device classification service, based on a determination that the probabilistic data structure does not include entries for both the source and destination of the traffic flow.
Abstract: In one embodiment, a device identifies a new traffic flow in a network. The device determines a service level agreement (SLA) associated with the new traffic flow. The device uses a machine learning model to predict whether a particular tunnel in the network can satisfy the determined SLA of the traffic were the traffic flow routed onto the tunnel. The device performs call admission control to route the new traffic flow onto the particular tunnel, based on a prediction that the tunnel can satisfy the determined SLA of the traffic.
Abstract: In one embodiment, a service receives software version data regarding versions of software executed by devices in a network. The service detects a version change in the version of software executed by one or more of the devices, based on the received software version data. The service makes a determination that a drop in data quality of input data for a machine learning model used to monitor the network is associated with the detected version change. The service reverts the one or more devices to a prior version of software, based on the determination that the drop in quality of the input data for the machine learning model used to monitor the network is associated with the detected version change.
Abstract: In various embodiments, a device classification service obtains data indicative of device attributes of a plurality of devices. The device classification service forms, based on the obtained data indicative of the device attributes, a concept graph that comprises nodes that represent different sets of the device attributes. The device classification service determines, by analyzing the concept graph, a relevance score for each of the device attributes that quantifies how relevant that attribute is to classifying a device by its device type. The device classification service uses the relevance scores for the device attributes to cluster the plurality of devices into device type clusters by their device attributes.
Type:
Application
Filed:
March 26, 2020
Publication date:
September 30, 2021
Inventors:
Grégory Mermoud, David Tedaldi, Pierre-André Savalle, Jean-Philippe Vasseur, Jürg Nicolaus Diemand
Abstract: In one embodiment, a device classification service assigns a set of endpoint devices to a context group. The device classification service forms a context summary feature vector for the context group that summarizes telemetry feature vectors for the endpoint devices assigned to the context group. Each telemetry feature vector is indicative of a plurality of traffic features observed for the endpoint devices. The device classification service normalizes a telemetry feature vector for a particular endpoint device using the context summary feature vector. The device classification service classifies, using the normalized telemetry feature vector for the particular endpoint device as input to a device type classifier, the particular endpoint device as being of a particular device type.
Abstract: In one embodiment, a service receives input data from networking entities in a network. The input data comprises synchronous time series data, asynchronous event data, and an entity graph that that indicates relationships between the networking entities in the network. The service clusters the networking entities by type in a plurality of networking entity clusters. The service selects, based on a combination of the received input data, machine learning model data features. The service trains, using the selected machine learning model data features, a machine learning model to forecast a key performance indicator (KPI) for a particular one of the networking entity clusters.
Abstract: In one embodiment, a network assurance service that monitors one or more networks identifies changes in a key performance indicator for each of a plurality of network entities in the one or more networks. The service forms a peer group of network entities from the plurality of network entities whose changes in the key performance indicator are correlated. The service monitors the key performance indicator for network entities in the peer group of network entities. The service, based on the monitoring, detects an anomalous change in the key performance indicator for a particular network entity in the peer group of network entities relative to other network entities in the peer group of network entities.
Abstract: In one embodiment, a service receives software version data regarding versions of software executed by devices in a network. The service detects a version change in the version of software executed by one or more of the devices, based on the received software version data. The service makes a determination that a drop in data quality of input data for a machine learning model used to monitor the network is associated with the detected version change. The service reverts the one or more devices to a prior version of software, based on the determination that the drop in quality of the input data for the machine learning model used to monitor the network is associated with the detected version change.
Abstract: In one embodiment, a device classification service obtains telemetry data for a plurality of devices in a network. The device classification service repeatedly assigns the devices to device clusters by applying clustering to the obtained telemetry data. The device classification service determines a measure of stability loss associated with the cluster assignments. The measure of stability loss is based in part on whether a device is repeatedly assigned to the same device cluster. The device classification service determines, based on the measure of stability loss, that the cluster assignments have stabilized. The device classification service obtains device type labels for the device clusters, after determining that the cluster assignments have stabilized.
Type:
Application
Filed:
April 19, 2019
Publication date:
October 22, 2020
Inventors:
David Tedaldi, Grégory Mermoud, Pierre-Andre Savalle, Jean-Philippe Vasseur
Abstract: In one embodiment, a device in a network receives a notification of a particular anomaly detected by a distributed learning agent in the network that executes a machine learning-based anomaly detector to analyze traffic in the network. The device computes one or more distance scores between the particular anomaly and one or more previously detected anomalies. The device also computes one or more relevance scores for the one or more previously detected anomalies. The device determines a reporting score for the particular anomaly based on the one or more distance scores and on the one or more relevance scores. The device reports the particular anomaly to a user interface based on the determined reporting score.
Abstract: In one embodiment, a device obtains behavioral metrics for application traffic in a network for a plurality of applications. The device identifies a first application and a second application from among the plurality of applications as fate sharing applications, based on a correlation between the behavioral metrics for their application traffic. The device generates a configuration change for the network that would prevent the first application and the second application from being fate sharing applications, when application traffic for the first application negatively affects the behavioral metrics for the application traffic of the second application. The device causes the configuration change to be implemented in the network.
Abstract: In one embodiment, a device obtains a first set of measurements of a path metric for a path in a network that are measured using periodic probing of the path. The device obtains a second set of measurements of the path metric for the path that are measured using fine-grained probing of the path at a higher frequency than that of the periodic probing. The device generates a predictive model that predicts values of the path metric, based on the first set of measurements and on the second set of measurements. The device causes, based on a value of the path metric predicted by the predictive model, traffic to be rerouted from the path to another path in the network.
Abstract: In one embodiment, a device in a network identifies a plurality of applications from observed traffic in the network. The device forms two or more application clusters from the plurality of applications. Each of the application clusters includes one or more of the applications, and wherein a particular application in the plurality of applications is included in each of the application clusters. The device generates anomaly detection models for each of the application clusters. The device tests the anomaly detection models, to determine a measure of efficacy for each of the models with respect to traffic associated with the particular application. The device selects a particular anomaly detection model to analyze the traffic associated with the particular application based on the measures of efficacy for each of the models.
Abstract: In one embodiment, a device obtains characteristics of a first anomaly detection model executed by a first distributed learning agent in a network. The device receives a query from a second distributed learning agent in the network that requests identification of a similar anomaly detection to that of a second anomaly detection model executed by the second distributed learning agent. The device identifies, after receiving the query from the second distributed learning agent, the first anomaly detection model as being similar to that of the second anomaly detection model, based on the characteristics of the first anomaly detection model. The device causes the first anomaly detection model to be sent to the second distributed learning agent for execution.
Abstract: In one embodiment, a device in a network receives a notification of a particular anomaly detected by a distributed learning agent in the network that executes a machine learning-based anomaly detector to analyze traffic in the network. The device computes one or more distance scores between the particular anomaly and one or more previously detected anomalies. The device also computes one or more relevance scores for the one or more previously detected anomalies. The device determines a reporting score for the particular anomaly based on the one or more distance scores and on the one or more relevance scores. The device reports the particular anomaly to a user interface based on the determined reporting score.
Abstract: In one embodiment, a network element in a network maintains a probabilistic data structure indicative of devices in the network for which telemetry data is not to be sent to a device classification service. The network element detects a traffic flow sent from a source device to a destination device. The network element determines whether the probabilistic data structure includes entries for both the source and destination devices of the traffic flow. The network element sends flow telemetry data regarding the traffic flow to the device classification service, based on a determination that the probabilistic data structure does not include entries for both the source and destination of the traffic flow.
Abstract: In one embodiment, a service tracks performance of a machine learning model over time. The machine learning model is used to monitor one or more computer networks based on data collected from the one or more computer networks. The service also tracks performance metrics associated with training of the machine learning model. The service determines that a degradation of the performance of the machine learning model is anomalous, based on the tracked performance of the machine learning model and performance metrics associated with training of the model. The service initiates a corrective measure for the degradation of the performance, in response to determining that the degradation of the performance is anomalous.
Abstract: In one embodiment, a device classification service classifies a device in a network as being of a first device type. The service applies a first network policy that has an associated expiration timer to the device, based on its classification as being of the first device type. The service determines whether the device was reclassified as being of a different device type than that of the first device type before expiration of the expiration timer associated with the first network policy. The service applies a second network policy to the device, when the service determines that the device has not been reclassified as being of a different device type before expiration of the expiration timer associated with the first network policy.
Abstract: In one embodiment, a device deploys a first machine learning model to an inference location in a network. The first machine learning model is used at the inference location to make inferences about the network. The device receives, from the inference location, an indication that the first machine learning model is exhibiting poor performance. The device identifies a corrective measure for the poor performance that minimizes resource consumption by a model training pipeline of the device. The device deploys, based on the corrective measure, a second machine learning model to the inference location. The second machine learning model is used in lieu of the first machine learning model to make the inferences about the network.
Abstract: In one embodiment, a device in a network obtains data indicative of a device classification rule, a device type label associated with the rule, and a set of positive and negative feature vectors used to create the rule. The device replaces similar feature vectors in the set of positive and negative feature vectors with a single feature vector, to form a reduced set of feature vectors. The device applies differential privacy to the reduced set of feature vectors. The device sends a digest to a cloud service. The digest comprises the device classification rule, the device type label, and the reduced set of feature vectors to which differential privacy was applied. The service uses the digest to train a machine learning-based device classifier.