EDGE-BASED DETECTION OF NEW AND UNEXPECTED FLOWS

US 20170279827A1
Filed: 05/24/2016
Published: 09/28/2017
Est. Priority Date: 03/24/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying, by a device in a network, a new interaction between two or more nodes in the network;

forming, by the device, a feature vector using contextual information associated with the new interaction between the two or more nodes;

causing, by the device, generation of an anomaly detection model for new node interactions using the feature vector; and

using, by the device, the anomaly detection model to determine whether a particular node interaction in the network is anomalous.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a device in a network identifies a new interaction between two or more nodes in the network. The device forms a feature vector using contextual information associated with the new interaction between the two or more nodes. The device causes generation of an anomaly detection model for new node interactions using the feature vector. The device uses the anomaly detection model to determine whether a particular node interaction in the network is anomalous.

Citations

20 Claims

1. A method comprising:
- identifying, by a device in a network, a new interaction between two or more nodes in the network;
  
  forming, by the device, a feature vector using contextual information associated with the new interaction between the two or more nodes;
  
  causing, by the device, generation of an anomaly detection model for new node interactions using the feature vector; and
  
  using, by the device, the anomaly detection model to determine whether a particular node interaction in the network is anomalous.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as in claim 1, wherein the contextual information comprises a measure of destination centrality.
  - 3. The method as in claim 1, wherein the contextual information includes a result of deep packet inspection of a packet associated with the new interaction between the two or more nodes.
  - 4. The method as in claim 1, wherein the contextual information comprises at least one of:
    - a rate or frequency of new node interactions in the network.
  - 5. The method as in claim 1, wherein the contextual information comprises an output of a traffic classification model.
  - 6. The method as in claim 1, wherein the contextual information comprises traffic information associated with the two or more nodes comprising at least one of:
    - a historical amount of traffic communicated between the two or more nodes, temporal information regarding historical traffic communicated between the two or more nodes, or packet information.
  - 7. The method as in claim 1, wherein the device is an edge router in the network.
  - 8. The method as in claim 1, wherein causing the generation of the anomaly detection model for new node interactions using the feature vector comprises:
    - providing, by the device, the feature vector to another device configured to generate the anomaly detection model based in part on the feature vector; and
      
      s receiving, at the device, the anomaly detection model from the other device.
  - 9. The method as in claim 1, wherein causing the generation of the anomaly detection model for new node interactions using the feature vector comprises:
    - generating, by the device, the anomaly detection model based in part on the feature vector.
  - 10. The method as in claim 1, wherein the anomaly detection model comprises at least one of:
    - a density estimation model or a classification model.
  - 11. The method as in claim 1, wherein identifying the new interaction between the two or more nodes comprises:
    - determining, by the device, that the two or more nodes have not communicated with one another within a predefined time window.

12. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the one or more network interfaces and configured to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  identify a new interaction between two or more nodes in the network;
  
  form a feature vector using contextual information associated with the new interaction between the two or more nodes;
  
  cause generation of an anomaly detection model for new node interactions using the feature vector; and
  
  use the anomaly detection model to determine whether a particular node interaction in the network is anomalous.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The apparatus as in claim 12, wherein the contextual information comprises a measure of destination centrality.
  - 14. The apparatus as in claim 12, wherein the contextual information comprises at least one of:
    - a rate or frequency of new node interactions in the network, or an output of a traffic classification model.
  - 15. The apparatus as in claim 12, wherein the contextual information comprises traffic information associated with the two or more nodes comprising at least one of:
    - a historical amount of traffic communicated between the two or more nodes, temporal information regarding historical traffic communicated between the two or more nodes, or packet information.
  - 16. The apparatus as in claim 12, wherein the apparatus is an edge router in the network.
  - 17. The apparatus as in claim 12, wherein the apparatus causes the generation of the anomaly detection model for new node interactions using the feature vector by:
    - providing the feature vector to another device configured to generate the anomaly detection model based in part on the feature vector and based in part on feature vectors from a plurality of deployed learning agents in the network; and
      
      receiving the anomaly detection model from the other device.
  - 18. The apparatus as in claim 12, wherein the anomaly detection model comprises at least one of:
    - a density estimation model or a classification model.
  - 19. The apparatus as in claim 12, wherein the apparatus identifies the new interaction between the two or more nodes by determining that the two or more nodes have not communicated with one another within a predefined time window.

20. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a device in a network configured to:
- identify a new interaction between two or more nodes in the network;
  
  form a feature vector using contextual information associated with the new interaction between the two or more nodes;
  
  cause generation of an anomaly detection model for new node interactions using the feature vector; and
  
  use the anomaly detection model to determine whether a particular node interaction in the network is anomalous.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Savalle, Pierre-Andr, Sartran, Laurent, Vasseur, Jean-Philippe, Mermoud, Grgory

Granted Patent

US 10,389,741 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/02   based on web technology, e....

H04L 67/535   Tracking the activity of th...

H04L 69/22   Parsing or analysis of headers

EDGE-BASED DETECTION OF NEW AND UNEXPECTED FLOWS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

EDGE-BASED DETECTION OF NEW AND UNEXPECTED FLOWS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links