DATA VISUALIZATION IN SELF LEARNING NETWORKS

US 20160219071A1
Filed: 01/07/2016
Published: 07/28/2016
Est. Priority Date: 01/22/2015
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

maintaining, by a first device in a network, raw traffic flow information for the network;

providing, by the first device, a compressed summary of the raw traffic flow information to a second device in the network, wherein the second device is configured to transform the compressed summary for presentation to a user interface;

detecting, by the first device, an anomalous traffic flow based on an analysis of the raw traffic flow information using a machine learning-based anomaly detector; and

providing, by the first device, at least a portion of the raw traffic flow information related to the anomalous traffic flow to the second device for presentation to the user interface.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a first device in a network maintains raw traffic flow information for the network. The first device provides a compressed summary of the raw traffic flow information to a second device in the network. The second device is configured to transform the compressed summary for presentation to a user interface. The first device detects an anomalous traffic flow based on an analysis of the raw traffic flow information using a machine learning-based anomaly detector. The first device provides at least a portion of the raw traffic flow information related to the anomalous traffic flow to the second device for presentation to the user interface.

36 Citations

View as Search Results

20 Claims

1. A method, comprising:
- maintaining, by a first device in a network, raw traffic flow information for the network;
  
  providing, by the first device, a compressed summary of the raw traffic flow information to a second device in the network, wherein the second device is configured to transform the compressed summary for presentation to a user interface;
  
  detecting, by the first device, an anomalous traffic flow based on an analysis of the raw traffic flow information using a machine learning-based anomaly detector; and
  
  providing, by the first device, at least a portion of the raw traffic flow information related to the anomalous traffic flow to the second device for presentation to the user interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as in claim 1, wherein the at least a portion of the raw traffic flow information related to the anomalous traffic flow comprises a captured packet of the anomalous traffic flow or a traffic flow record for the anomalous traffic flow.
  - 3. The method as in claim 2, wherein the at least a portion of the raw traffic flow information related to the anomalous traffic flow further comprises information regarding one or more traffic flows that were present in the network prior to detecting the anomalous traffic flow.
  - 4. The method as in claim 1, wherein the compressed summary of the raw traffic flow information comprises a histogram or Bezier curve.
  - 5. The method as in claim 1, wherein maintaining the information regarding the network comprises:
    - storing, by the first device, an indexed portion of the traffic flow information in a persistent memory of the first device, based on a time period associated with the indexed portion of the traffic flow information.
  - 6. The method as in claim 1, further comprising:
    - adjusting, by the first device, communications sent from the first device to the second device so as not to interfere with network traffic, in response to receiving an instruction from the second device.
  - 7. The method as in claim 6, wherein adjusting communications sent from the first device to the second device comprises at least one of:
    - adjust a priority or path of the communications, or performing traffic shaping on the communications.

8. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the network interfaces and adapted to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed configured to;
  
  receive a compressed summary of raw traffic flow information from one or more devices in the network;
  
  transform the compressed summary of raw traffic flow information for presentation to a user interface;
  
  provide the transformed summary of raw traffic flow information to the user interface;
  
  request at least a portion of the raw traffic flow information from the one or more devices, wherein the requested portion of the raw traffic flow information is related to an anomalous traffic flow detected by one of the one or more devices; and
  
  provide the requested at least a portion of the raw traffic flow information to the user interface.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The apparatus as in claim 8, wherein the compressed summary of the raw traffic flow information comprises a histogram or Bezier curve.
  - 10. The apparatus as in claim 8, wherein the process when executed is further configured to:
    - throttle requests to the one or more devices for raw traffic flow information, to prevent further network disruption during a distributed network attack.
  - 11. The apparatus as in claim 8, wherein the user interface is configured to asynchronously update a global data model for the network using the transformed summary of raw traffic flow information and the at least a portion of the raw traffic flow information.
  - 12. The apparatus as in claim 11, wherein the apparatus requests the at least a portion of the raw traffic flow information from the one or more devices, in response to receiving a request from the user interface for additional information regarding the anomalous traffic flow.
  - 13. The apparatus as in claim 8, wherein the process when executed is further configured to:
    - instruct the one or more devices to adjust communications sent from the one or more devices to the apparatus so as not to interfere with network traffic.

14. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the network interfaces and adapted to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed configured to;
  
  maintain raw traffic flow information for the network;
  
  provide a compressed summary of the raw traffic flow information to a device in the network, wherein the device is configured to transform the compressed summary for presentation to a user interface;
  
  detect an anomalous traffic flow based on an analysis of the raw traffic flow information using a machine learning-based anomaly detector; and
  
  provide at least a portion of the raw traffic flow information related to the anomalous traffic flow to the device for presentation to the user interface.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The apparatus as in claim 14, wherein the at least a portion of the raw traffic flow information related to the anomalous traffic flow comprises a captured packet of the anomalous traffic flow or a traffic flow record for the anomalous traffic flow.
  - 16. The apparatus as in claim 15, wherein the at least a portion of the raw traffic flow information related to the anomalous traffic flow further comprises information regarding one or more traffic flows that were present in the network prior to detecting the anomalous traffic flow.
  - 17. The apparatus as in claim 15, wherein the compressed summary of the raw traffic flow information comprises a histogram or Bezier curve.
  - 18. The apparatus as in claim 14, wherein the apparatus maintains the information regarding the network by:
    - storing an indexed portion of the traffic flow information in a persistent memory of the first device, based on a time period associated with the indexed portion of the traffic flow information.
  - 19. The apparatus as in claim 14, wherein the process when executed is further configured to:
    - adjust communications sent from the apparatus to the device so as not to interfere with network traffic, in response to receiving an instruction from the device.
  - 20. The apparatus as in claim 19, wherein the apparatus adjust communications sent from the first device to the second device by at least one of:
    - adjusting a priority or path of the communications or performing traffic shaping on the communications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Mermoud, Grgory, Laumonier, Xav, Vasseur, Jean-Philippe, Dasgupta, Sukrit

Granted Patent

US 10,484,406 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06N 20/00   Machine learning

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

DATA VISUALIZATION IN SELF LEARNING NETWORKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

36 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

DATA VISUALIZATION IN SELF LEARNING NETWORKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others