Cold start mechanism to prevent compromise of automatic anomaly detection systems

US 9,838,409 B2
Filed: 10/08/2015
Issued: 12/05/2017
Est. Priority Date: 10/08/2015
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

analyzing, by a device in a network, data indicative of a behavior of the network using a supervised anomaly detection model, wherein the supervised anomaly detection model was trained using a set of labels applied to a set of input network metrics from a second network;

determining, by the device, whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data; and

training, by the device, an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervised anomaly detection model, wherein training the unsupervised anomaly detection model comprises;

observing, by the device, network behavior, in response to the determination that no anomalies were detected by the supervised anomaly detection model, andusing the observed network behavior of the network as a non-anomalous baseline for the unsupervised anomaly detection model.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a device in a network analyzes data indicative of a behavior of a network using a supervised anomaly detection model. The device determines whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data. The device trains an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervised anomaly detection model.

39 Citations

View as Search Results

18 Claims

1. A method, comprising:
- analyzing, by a device in a network, data indicative of a behavior of the network using a supervised anomaly detection model, wherein the supervised anomaly detection model was trained using a set of labels applied to a set of input network metrics from a second network;
  
  determining, by the device, whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data; and
  
  training, by the device, an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervised anomaly detection model, wherein training the unsupervised anomaly detection model comprises;
  
  observing, by the device, network behavior, in response to the determination that no anomalies were detected by the supervised anomaly detection model, andusing the observed network behavior of the network as a non-anomalous baseline for the unsupervised anomaly detection model.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as in claim 1, further comprising:
    - determining, by the device, that the supervised anomaly detection model has detected an anomaly in the network.
  - 3. The method as in claim 2, further comprising:
    - suspending, by the device, training of the unsupervised anomaly detection model, in response to determining that the supervised anomaly detection model has detected an anomaly in the network.
  - 4. The method as in claim 2, further comprising:
    - providing, by the device, an indication of the detected anomaly to a supervisory system in the network, wherein the supervisory system is configured to verify the detected anomaly.
  - 5. The method as in claim 4, wherein the supervisory system verifies the detected anomaly based on input data received from a user interface.
  - 6. The method as in claim 4, further comprising:
    - receiving, at the device, an update to the supervised anomaly detection model, wherein the update is based on a retraining of the supervised anomaly detection model to account for the detected anomaly.
  - 7. The method as in claim 2, further comprising:
    - comparing, by the device, the detected anomaly to a library of allowed anomalies.
  - 8. The method as in claim 7, further comprising:
    - suppressing, by the device, generation of an alert, based on a determination that the detected anomaly is in the library of allowed anomalies.
  - 9. The method as in claim 7, further comprising:
    - providing, by the device, an indication of the detected anomaly with contextual information to a supervisory system in the network, based on a determination that the detected anomaly is in the library of allowed anomalies.

10. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the network interfaces and adapted to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed configured to;
  
  analyze data indicative of a behavior of the network using a supervised anomaly detection model, wherein the supervised anomaly detection model was trained using a set of labels applied to a set of input network metrics from a second network;
  
  determine whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data; and
  
  train an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervised anomaly detection model, wherein training the unsupervised anomaly detection model comprises;
  
  observing, by the device, network behavior, in response to the determination that no anomalies were detected by the supervised anomaly detection model, andusing the observed network behavior of the network as a non-anomalous baseline for the unsupervised anomaly detection model.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The apparatus as in claim 10, wherein the process when executed is further configured to determine that the supervised anomaly detection model has detected an anomaly in the network.
  - 12. The apparatus as in claim 11, wherein the process when executed is further configured to provide an indication of the detected anomaly to a supervisory system in the network, wherein the supervisory system is configured to verify the detected anomaly.
  - 13. The apparatus as in claim 12, wherein the process when executed is further configured to suspend training of the unsupervised anomaly detection model, in response to receiving an instruction from the supervisory system, after providing the indication of the detected anomaly to the supervisory system.
  - 14. The apparatus as in claim 12, wherein the process when executed is further configured to receive an update to the supervised anomaly detection model, wherein the update is based on a retraining of the supervised anomaly detection model to account for the detected anomaly.
  - 15. The apparatus as in claim 11, wherein the process when executed is further configured to compare the detected anomaly to a library of allowed anomalies.
  - 16. The apparatus as in claim 15, wherein the process when executed is further configured to suppress generation of an alert, based on a determination that the detected anomaly is in the library of allowed anomalies.
  - 17. The apparatus as in claim 15, wherein the process when executed is further configured to provide an indication of the detected anomaly with contextual information to a supervisory system in the network, based on a determination that the detected anomaly is in the library of allowed anomalies.

18. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor configured to:
- analyze data indicative of a behavior of a network using a supervised anomaly detection model, wherein the supervised anomaly detection model was trained using a set of labels applied to a set of input network metrics from a second network;
  
  determine whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data; and
  
  train an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervised anomaly detection model, wherein training the unsupervised anomaly detection model comprises;
  
  observing, by the device, network behavior, in response to the determination that no anomalies were detected by the supervised anomaly detection model, andusing the observed network behavior of the network as a non-anomalous baseline for the unsupervised anomaly detection model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Flacher, Fabien, Mermoud, Grgory, Vasseur, Jean-Philippe, Dasgupta, Sukrit
Primary Examiner(s)
Mehedi, Morshed
Assistant Examiner(s)
Naghdali, Khalil

Application Number

US14/878,145
Publication Number

US 20170104773A1
Time in Patent Office

789 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/1458 Denial of Service

Cold start mechanism to prevent compromise of automatic anomaly detection systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Cold start mechanism to prevent compromise of automatic anomaly detection systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others