Anomaly selection using distance metric-based diversity and relevance

US 10,616,251 B2
Filed: 02/23/2017
Issued: 04/07/2020
Est. Priority Date: 02/23/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a device in a network, a notification of a particular anomaly detected by a distributed learning agent in the network that executes a machine learning-based anomaly detector to analyze traffic in the network;

computing, by the device, one or more distance scores between the particular anomaly and one or more previously detected anomalies;

computing, by the device, one or more relevance scores for the one or more previously detected anomalies;

computing, by the device, a similarity score between the particular anomaly and the one or more previously detected anomalies using a weighting function that discounts the one or more previously detected anomalies based on the one or more distance scores between the particular anomaly and the one or more previously detected anomalies;

determining, by the device, a reporting score for the particular anomaly using the computed one or more distance scores, the computed similarity score and the computed one or more relevance scores;

reporting, by the device, the particular anomaly to a user interface based on the determined reporting score;

ranking, by the device, the distributed learning agent based on similarity scores between anomalies detected by the distributed learning agent; and

causing, by the device, allocation of network resources to the distributed learning agent for reporting detected anomalies to the device and based on the ranking of the distributed learning agent.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a device in a network receives a notification of a particular anomaly detected by a distributed learning agent in the network that executes a machine learning-based anomaly detector to analyze traffic in the network. The device computes one or more distance scores between the particular anomaly and one or more previously detected anomalies. The device also computes one or more relevance scores for the one or more previously detected anomalies. The device determines a reporting score for the particular anomaly based on the one or more distance scores and on the one or more relevance scores. The device reports the particular anomaly to a user interface based on the determined reporting score.

Citations

15 Claims

1. A method comprising:
- receiving, at a device in a network, a notification of a particular anomaly detected by a distributed learning agent in the network that executes a machine learning-based anomaly detector to analyze traffic in the network;
  
  computing, by the device, one or more distance scores between the particular anomaly and one or more previously detected anomalies;
  
  computing, by the device, one or more relevance scores for the one or more previously detected anomalies;
  
  computing, by the device, a similarity score between the particular anomaly and the one or more previously detected anomalies using a weighting function that discounts the one or more previously detected anomalies based on the one or more distance scores between the particular anomaly and the one or more previously detected anomalies;
  
  determining, by the device, a reporting score for the particular anomaly using the computed one or more distance scores, the computed similarity score and the computed one or more relevance scores;
  
  reporting, by the device, the particular anomaly to a user interface based on the determined reporting score;
  
  ranking, by the device, the distributed learning agent based on similarity scores between anomalies detected by the distributed learning agent; and
  
  causing, by the device, allocation of network resources to the distributed learning agent for reporting detected anomalies to the device and based on the ranking of the distributed learning agent.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as in claim 1, wherein computing the one or more distance scores between the particular anomaly and one or more previously detected anomalies comprises:
    - analyzing, by the device, the particular anomaly using a model trained using a set of anomaly pairs labeled with distance scores.
  - 3. The method as in claim 1, further comprising:
    - clustering, by the device, detected anomalies based on distance scores between the detected anomalies; and
      
      providing, by the device, an indication of the clustering to the user interface.
  - 4. The method as in claim 1, wherein computing the one or more relevance scores for the one or more previously detected anomalies comprises:
    - reporting, by the device, the one or more previously detected anomalies to the user interface; and
      
      receiving, at the device, feedback from the user interface regarding relevancy of the reported one or more previously detected anomalies.
  - 5. The method as in claim 1, wherein computing the similarity score comprises:
    - reporting, by the device, two or more of the previously detected anomalies to the user interface; and
      
      receiving, at the device, a similarity score from the user interface regarding a similarity between the reported two or more previously detected anomalies.
  - 6. The method as in claim 1, wherein the network resources comprises a bandwidth allocated to the distributed learning agent.
  - 7. The method as in claim 1, further comprising:
    - receiving, at the device, notifications regarding the one or more previously detected anomalies, wherein the one or more previously detected anomalies were detected by one or more other distributed learning agents in the network that execute machine learning-based anomaly detectors to analyze traffic in the network.

8. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the network interfaces and configured to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  receive a notification of a particular anomaly detected by a distributed learning agent in the network that executes a machine learning-based anomaly detector to analyze traffic in the network;
  
  compute one or more distance scores between the particular anomaly and one or more previously detected anomalies;
  
  compute one or more relevance scores for the one or more previously detected anomalies;
  
  compute a similarity score between the particular anomaly and the one or more previously detected anomalies using a weighting function that discounts the one or more previously detected anomalies based on the one or more distance score between the particular anomaly and the one or more;
  
  determine a reporting score for the particular anomaly using the computed one or more distance scores, the computed similarity score and the computed one or more relevance scores;
  
  report the particular anomaly to a user interface based on the determined reporting score;
  
  rank the distributed learning agent based on similarity scores between anomalies detected by the distributed learning agent; and
  
  cause allocation of network resources to the distributed learning agent for reporting detected anomalies to the apparatus and based on the ranking of the distributed learning agent.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus as in claim 8, wherein the apparatus computes the one or more distance scores between the particular anomaly and one or more previously detected anomalies by:
    - analyzing the particular anomaly using a model trained using a set of anomaly pairs labeled with distance scores.
  - 10. The apparatus as in claim 8, wherein the process when executed is further operable to:
    - cluster detected anomalies based on distance scores between the detected anomalies;
      
      andprovide an indication of the clustering to the user interface.
  - 11. The apparatus as in claim 8, wherein the apparatus computes the one or more relevance scores for the one or more previously detected anomalies by:
    - reporting the one or more previously detected anomalies to the user interface; and
      
      receiving feedback from the user interface regarding relevancy of the reported one or more previously detected anomalies.
  - 12. The apparatus as in claim 8, wherein the apparatus computes the similarity score by:
    - reporting two or more of the previously detected anomalies to the user interface; and
      
      receiving a similarity score from the user interface regarding a similarity between the reported two or more previously detected anomalies.
  - 13. The apparatus as in claim 8, wherein the network resources comprises a bandwidth allocated to the distributed learning agent.
  - 14. The apparatus as in claim 8, wherein the process when executed is further operable to:
    - receive notifications regarding the one or more previously detected anomalies, wherein the one or more previously detected anomalies were detected by one or more other distributed learning agents in the network that execute machine learning-based anomaly detectors to analyze traffic in the network.

15. A tangible, non-transitory, computer-readable medium storing program instructions that cause a device in a network to execute a process comprising:
- receiving, at the device, a notification of a particular anomaly detected by a distributed learning agent in the network that executes a machine learning-based anomaly detector to analyze traffic in the network;
  
  computing, by the device, one or more distance scores between the particular anomaly and one or more previously detected anomalies;
  
  computing, by the device, one or more relevance scores for the one or more previously detected anomalies;
  
  computing, by the device, a similarity score between the particular anomaly and the one or more previously detected anomalies using a weighting function that discounts the one or more previously detected anomalies based on the distance score between the particular anomaly and the one or more previously detected anomalies, wherein the reporting score is further based in part on the similarity score;
  
  determining, by the device, a reporting score for the particular anomaly using the computed one or more distance scores, the computed similarity score and the computed one or more relevance scores;
  
  reporting, by the device, the particular anomaly to a user interface based on the determined reporting score;
  
  rank the distributed learning agent based on similarity scores between anomalies detected by the distributed learning agent; and
  
  cause allocation of network resources to the distributed learning agent for reporting detected anomalies to the apparatus and based on the ranking of the distributed learning agent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Savalle, Pierre-Andre, Mermoud, Gregory, Sartran, Laurent, Vasseur, Jean-Philippe
Primary Examiner(s)
Le, Khoi V

Application Number

US15/440,116
Publication Number

US 20180241762A1
Time in Patent Office

1,139 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

G06N 3/006   based on simulated virtual ...

H04L 2463/141   Denial of service attacks a...

H04L 2463/144   Detection or countermeasure...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

Anomaly selection using distance metric-based diversity and relevance

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Anomaly selection using distance metric-based diversity and relevance

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links