SELF ORGANIZING LEARNING TOPOLOGIES

US 20170310691A1
Filed: 06/08/2016
Published: 10/26/2017
Est. Priority Date: 03/25/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating, by a networking device at an edge of a network, a first set of feature vectors using information regarding one or more characteristics of host devices in the network;

forming, by the networking device, the host devices into device clusters dynamically based on the first set of feature vectors;

generating, by the networking device, a second set of feature vectors using information regarding traffic associated with the device clusters; and

modeling, by the networking device, interactions between the device clusters using a plurality of anomaly detection models that are based on the second set of feature vectors.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a networking device at an edge of a network generates a first set of feature vectors using information regarding one or more characteristics of host devices in the network. The networking device forms the host devices into device clusters dynamically based on the first set of feature vectors. The networking device generates a second set of feature vectors using information regarding traffic associated with the device clusters. The networking device models interactions between the device clusters using a plurality of anomaly detection models that are based on the second set of feature vectors.

108 Citations

20 Claims

1. A method comprising:
- generating, by a networking device at an edge of a network, a first set of feature vectors using information regarding one or more characteristics of host devices in the network;
  
  forming, by the networking device, the host devices into device clusters dynamically based on the first set of feature vectors;
  
  generating, by the networking device, a second set of feature vectors using information regarding traffic associated with the device clusters; and
  
  modeling, by the networking device, interactions between the device clusters using a plurality of anomaly detection models that are based on the second set of feature vectors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as in claim 1, further comprising:
    - reporting, by the networking device, the device clusters to a supervisory device.
  - 3. The method as in claim 1, further comprising:
    - receiving, at the networking device, a clustering policy from a supervisory device, wherein the networking device forms the device clusters based in part on the received clustering policy.
  - 4. The method as in claim 1, wherein a particular host device belongs to a plurality of device clusters.
  - 5. The method as in claim 1, further comprising:
    - adjusting, by the networking device, the device clusters based on a time function.
  - 6. The method as in claim 1, further comprising:
    - adjusting, by the networking device, the device clusters based on a change in the first set of feature vectors that corresponds to a behavioral change of one or more of the host devices.
  - 7. The method as in claim 1, further comprising:
    - reporting, by the networking device, edge identifiers to a supervisory device, wherein a particular edge identifier represents an interaction between two or more of the device clusters, wherein the supervisory device is configured to use the edge identifiers to select a set of edges expected to exhibit similar behaviors; and
      
      providing, by the networking device, information regarding one or more of the anomaly detection models to the supervisory device based on the set of edges selected by the supervisory device, wherein the supervisory device is configured to use the information regarding the one or more of the anomaly detection models to provide a measure of confidence in the models.
  - 8. The method as in claim 1, wherein the networking device is a router at the edge of the network, and wherein the characteristics of a particular host device comprise one or more of:
    - a location of the particular host device, an application executed by the particular host device, or a device configuration of the particular host device.
  - 9. The method as in claim 1, further comprising:
    - adjusting, by the networking device, the device clusters in response to feedback from a supervisory device regarding one or more anomalies detected by the one or more anomaly detection models.

10. A method comprising:
- receiving, at a device, a plurality of edge identifiers, wherein a particular edge identifier represents an interaction between two or more device clusters, each device cluster comprising a plurality of host devices having similar characteristics;
  
  selecting, by the device, a set of edges from among the plurality of edge identifiers that are expected to exhibit similar behaviors;
  
  correlating, by the device, received information regarding anomaly detection models associated with the selected set of edges, to determine a measure of confidence in the anomaly detection models associated with the selected set of edges; and
  
  providing, by the device, a notification that comprises the measure of confidence.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method as in claim 10, further comprising:
    - requesting, by the device, the edge identifiers from a plurality of routers configured to form the device clusters.
  - 12. The method as in claim 10, wherein correlating the received information regarding the anomaly detection models associated with the selected set of edges comprises:
    - determining, by the device, the measure of confidence in the anomaly detection models based on a comparison between an average centroid distance of the models to an average center of the models.
  - 13. The method as in claim 12, further comprising:
    - identify, by the device, a particular one of the anomaly detection models as anomalous based on a comparison between a centroid distance of the particular model to the average center of the models.
  - 14. The method as in claim 13, wherein the notification identifies the particular anomaly detection model as anomalous.
  - 15. The method as in claim 13, further comprising:
    - providing, by the device, a clustering policy to one or more routers configured to form the device clusters based in part on the clustering policy.

16. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the network interfaces and configured to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  generate a first set of feature vectors using information regarding one or more characteristics of host devices in the network;
  
  form the host devices into device clusters dynamically based on the first set of feature vectors;
  
  generate a second set of feature vectors using information regarding traffic associated with the device clusters; and
  
  model interactions between the device clusters using a plurality of anomaly detection models that are based on the second set of feature vectors.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus as in claim 16, wherein the first set of feature vectors differs from the second set of feature vectors.
  - 18. The apparatus as in claim 16, wherein the process when executed is further operable to:
    - report edge identifiers to a supervisory device, wherein a particular edge identifier represents an interaction between two or more of the device clusters, wherein the supervisory device is configured to use the edge identifiers to select a set of edges expected to exhibit similar behaviors; and
      
      provide information regarding one or more of the anomaly detection models to the supervisory device based on the set of edges selected by the supervisory device, wherein the supervisory device is configured to use the information regarding the one or more of the anomaly detection models to provide a measure of confidence in the models.
  - 19. The apparatus as in claim 16, wherein the process when executed is further operable to:
    - adjust the device clusters based on one or more of;
      
      a time function, a change in the first set of feature vectors that corresponds to a behavioral change of one or more of the host devices, or feedback from a supervisory device regarding one or more anomalies detected by the one or more anomaly detection models.
  - 20. The apparatus as in claim 16, wherein the apparatus is a router at an edge of the network, and wherein the characteristics of a particular host device comprise one or more of:
    - a location of the particular host device, an application executed by the particular host device, or a device configuration of the particular host device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Vasseur, Jean-Philippe, Gay, Sbastien, Mermoud, Grgory, Savalle, Pierre-Andr, Honor, Alexandre, Flacher, Fabien

Granted Patent

US 10,404,727 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0631   using root cause analysis; ...

H04L 41/12   Discovery or management of ...

H04L 41/147   for predicting network beha...

H04L 41/149   for prediction of maintenance

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

SELF ORGANIZING LEARNING TOPOLOGIES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

108 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SELF ORGANIZING LEARNING TOPOLOGIES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

108 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links