Dynamic application degrouping to optimize machine learning model accuracy
First Claim
1. A method, comprising:
- identifying, by a device in a network, a plurality of applications from observed traffic in the network;
forming, by the device, two or more application clusters from the plurality of applications, wherein each of the application clusters includes one or more of the applications, and wherein a particular application in the plurality of applications is included in each of the application clusters;
generating, by the device, anomaly detection models for each of the application clusters;
testing, by the device, the anomaly detection models, to determine a measure of efficacy for each of the models with respect to traffic associated with the particular application; and
selecting, by the device, a particular anomaly detection model to analyze the traffic associated with the particular application based on the measures of efficacy for each of the models.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a device in a network identifies a plurality of applications from observed traffic in the network. The device forms two or more application clusters from the plurality of applications. Each of the application clusters includes one or more of the applications, and wherein a particular application in the plurality of applications is included in each of the application clusters. The device generates anomaly detection models for each of the application clusters. The device tests the anomaly detection models, to determine a measure of efficacy for each of the models with respect to traffic associated with the particular application. The device selects a particular anomaly detection model to analyze the traffic associated with the particular application based on the measures of efficacy for each of the models.
12 Citations
20 Claims
-
1. A method, comprising:
-
identifying, by a device in a network, a plurality of applications from observed traffic in the network; forming, by the device, two or more application clusters from the plurality of applications, wherein each of the application clusters includes one or more of the applications, and wherein a particular application in the plurality of applications is included in each of the application clusters; generating, by the device, anomaly detection models for each of the application clusters; testing, by the device, the anomaly detection models, to determine a measure of efficacy for each of the models with respect to traffic associated with the particular application; and selecting, by the device, a particular anomaly detection model to analyze the traffic associated with the particular application based on the measures of efficacy for each of the models. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus, comprising:
-
one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed configured to; identify a plurality of applications from observed traffic in the network; form two or more application clusters from the plurality of applications, wherein each of the application clusters includes one or more of the applications, and wherein a particular application in the plurality of applications is included in each of the application clusters; generate anomaly detection models for each of the application clusters; test the anomaly detection models, to determine a measure of efficacy for each of the models with respect to traffic associated with the particular application; and select a particular anomaly detection model to analyze the traffic associated with the particular application based on the measures of efficacy for each of the models. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A tangible, non-transitory, computer-readable medium storing program instructions that cause a device in a network to execute a process comprising:
-
identifying, by the, a plurality of applications from observed traffic in the network; forming, by the device, two or more application clusters from the plurality of applications, wherein each of the application clusters includes one or more of the applications, and wherein a particular application in the plurality of applications is included in each of the application clusters; generating, by the device, anomaly detection models for each of the application clusters; testing, by the device, the anomaly detection models, to determine a measure of efficacy for each of the models with respect to traffic associated with the particular application; and selecting, by the device, a particular anomaly detection model to analyze the traffic associated with the particular application based on the measures of efficacy for each of the models. - View Dependent Claims (20)
-
Specification