Data visualization in self-learning networks

US 10,484,406 B2
Filed: 01/07/2016
Issued: 11/19/2019
Est. Priority Date: 01/22/2015
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

maintaining, by a first device in a self-learning network (SLN), raw traffic flow information for the SLN, wherein the first device includes a distributed learning agent (DLA);

summarizing, by the DLA, the raw traffic flow information into a summary of the raw traffic flow information obtained by the first device, the summary comprising a statistical model representing the raw traffic flow information obtained the first device;

transmitting, by the DLA, the summary of the raw traffic flow information to a second device in the SLN, wherein the second device is configured to transform the summary that is presented on a user interface, wherein the second device includes a supervisory and control agent (SCA);

detecting, by the DLA, an anomalous traffic flow based on an analysis of the raw traffic flow information using a machine learning-based anomaly detector;

updating, by the DLA, the summary based on the detected anomalous traffic flow;

adaptively transmitting, by the DLA, at least a portion of the raw traffic flow information related to the anomalous traffic flow to the second device as an update to the previously transmitted summary;

receiving, by the first device, an instruction from the second device based on the portion of raw traffic flow information related to the anomalous traffic flow and received by the second device; and

in response to receiving the instruction from the second device, adjusting, by the first device, communications sent from the first device to the second device so as not to interfere with network traffic.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a first device in a network maintains raw traffic flow information for the network. The first device provides a compressed summary of the raw traffic flow information to a second device in the network. The second device is configured to transform the compressed summary for presentation to a user interface. The first device detects an anomalous traffic flow based on an analysis of the raw traffic flow information using a machine learning-based anomaly detector. The first device provides at least a portion of the raw traffic flow information related to the anomalous traffic flow to the second device for presentation to the user interface.

41 Citations

View as Search Results

17 Claims

1. A method, comprising:
- maintaining, by a first device in a self-learning network (SLN), raw traffic flow information for the SLN, wherein the first device includes a distributed learning agent (DLA);
  
  summarizing, by the DLA, the raw traffic flow information into a summary of the raw traffic flow information obtained by the first device, the summary comprising a statistical model representing the raw traffic flow information obtained the first device;
  
  transmitting, by the DLA, the summary of the raw traffic flow information to a second device in the SLN, wherein the second device is configured to transform the summary that is presented on a user interface, wherein the second device includes a supervisory and control agent (SCA);
  
  detecting, by the DLA, an anomalous traffic flow based on an analysis of the raw traffic flow information using a machine learning-based anomaly detector;
  
  updating, by the DLA, the summary based on the detected anomalous traffic flow;
  
  adaptively transmitting, by the DLA, at least a portion of the raw traffic flow information related to the anomalous traffic flow to the second device as an update to the previously transmitted summary;
  
  receiving, by the first device, an instruction from the second device based on the portion of raw traffic flow information related to the anomalous traffic flow and received by the second device; and
  
  in response to receiving the instruction from the second device, adjusting, by the first device, communications sent from the first device to the second device so as not to interfere with network traffic.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as in claim 1, wherein the at least a portion of the raw traffic flow information related to the anomalous traffic flow comprises a captured packet of the anomalous traffic flow or a traffic flow record for the anomalous traffic flow.
  - 3. The method as in claim 2, wherein the at least a portion of the raw traffic flow information related to the anomalous traffic flow further comprises information regarding one or more traffic flows that were present in the SLN prior to detecting the anomalous traffic flow.
  - 4. The method as in claim 1, wherein the summary of the raw traffic flow information comprises a histogram or Bezier curve.
  - 5. The method as in claim 1, wherein maintaining the information regarding the SLN comprises:
    - storing, by the first device, an indexed portion of the traffic flow information in a persistent memory of the first device, based on a time period associated with the indexed portion of the traffic flow information.
  - 6. The method as in claim 1, wherein adjusting communications sent from the first device to the second device comprises at least one of:
    - adjust a priority or path of the communications, or performing traffic shaping on the communications.

7. An apparatus, comprising:
- one or more network interfaces to communicate with a self-learning network (SLN);
  
  a processor coupled to the network interfaces and adapted to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed configured to;
  
  receive from distributed learning agent (DLA) in the SLN a summary of raw traffic flow information from one or more devices in the SLN, wherein the summary comprises a statistical model representing the raw traffic flow information obtained the first device;
  
  transform the summary of raw traffic flow information that is presented on a user interface;
  
  transmit the transformed summary of raw traffic flow information to the user interface;
  
  request at least a portion of the raw traffic flow information from the one or more devices, wherein the requested portion of the raw traffic flow information is an update to the summary related to an anomalous traffic flow;
  
  transmit the requested at least a portion of the raw traffic flow information to the user interface, wherein apparatus operates as a supervisory and control agent in the SLN; and
  
  instruct the one or more devices to adjust communications sent from the one or more devices to the apparatus so as not to interfere with network traffic based on the portion of the raw traffic flow information.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The apparatus as in claim 7, wherein the summary of the raw traffic flow information comprises a histogram or Bezier curve.
  - 9. The apparatus as in claim 7, wherein the process when executed is further configured to:
    - throttle requests to the one or more devices for raw traffic flow information, to prevent further network disruption during a distributed network attack.
  - 10. The apparatus as in claim 7, wherein the user interface is configured to asynchronously update a global data model for the SLN using the transformed summary of raw traffic flow information and the at least a portion of the raw traffic flow information.
  - 11. The apparatus as in claim 10, wherein the apparatus requests the at least a portion of the raw traffic flow information from the one or more devices, in response to receiving a request from the user interface for additional information regarding the anomalous traffic flow.

12. An apparatus, comprising:
- one or more network interfaces to communicate with a self-learning network (SLN);
  
  a processor coupled to the network interfaces and adapted to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed configured to;
  
  maintain, by a distributed learning agent (DLA) executing on the apparatus, raw traffic flow information for the SLN;
  
  summarize, by the DLA, the raw traffic flow information into a summary of the raw traffic flow information obtained by the first device, the summary comprising a statistical model representing the raw traffic flow information obtained the first device;
  
  transmit, by the DLA, the summary of the raw traffic flow information to a device in the SLN, wherein the device executes a supervisory and control agent that transform the summary that is presented on a user interface;
  
  detect, by the DLA, an anomalous traffic flow based on an analysis of the raw traffic flow information using a machine learning-based anomaly detector;
  
  update, by the DLA, the summary based on the detected anomalous traffic flow; and
  
  adaptively transmit, by the DLA, at least a portion of the raw traffic flow information related to the anomalous traffic flow to the second device as an update to the previously transmitted summary;
  
  receive, by the DLA, an instruction from the device based on the portion of raw traffic flow information related to the anomalous traffic flow and received by the device; and
  
  in response to receiving the instruction from the device, adjust, by the DLA, communications sent from the apparatus to the device so as not to interfere with network traffic.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The apparatus as in claim 12, wherein the at least a portion of the raw traffic flow information related to the anomalous traffic flow comprises a captured packet of the anomalous traffic flow or a traffic flow record for the anomalous traffic flow.
  - 14. The apparatus as in claim 13, wherein the at least a portion of the raw traffic flow information related to the anomalous traffic flow further comprises information regarding one or more traffic flows that were present in the SLN prior to detecting the anomalous traffic flow.
  - 15. The apparatus as in claim 13, wherein the summary of the raw traffic flow information comprises a histogram or Bezier curve.
  - 16. The apparatus as in claim 12, wherein the apparatus maintains the information regarding the SLN by:
    - storing an indexed portion of the traffic flow information in a persistent memory of the apparatus, based on a time period associated with the indexed portion of the traffic flow information.
  - 17. The apparatus as in claim 12, wherein the apparatus adjusts communications sent from the apparatus to the device by at least one of:
    - adjusting a priority or path of the communications or performing traffic shaping on the communications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Vasseur, Jean-Philippe, Mermoud, Gregory, Dasgupta, Sukrit, Laumonier, Xav
Primary Examiner(s)
King, John B
Assistant Examiner(s)
Dhruv, Darshan I

Application Number

US14/990,064
Publication Number

US 20160219071A1
Time in Patent Office

1,412 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Data visualization in self-learning networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

41 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Data visualization in self-learning networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links