Anomaly detection supporting new application deployments

US 9,923,911 B2
Filed: 10/08/2015
Issued: 03/20/2018
Est. Priority Date: 10/08/2015
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

maintaining, by a device in a network, information regarding anomaly detection models used in the network and applications associated with traffic analyzed by the anomaly detection models wherein the device acts as a supervisory and control agent (SCA) device;

receiving, at the device, an indication of a planned application deployment in the network; and

adjusting, by the device, an anomaly detection strategy of a particular anomaly detector of a distributed learning agent (DLA) device in the network prior to deployment of the planned application, wherein the information regarding anomaly detection models used in the network and the applications associated with the traffic analyzed by the anomaly detection models is used by the device to adjust the anomaly detection strategy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a device in a network maintains information regarding anomaly detection models used in the network and applications associated with traffic analyzed by the anomaly detection models. The device receives an indication of a planned application deployment in the network. The device adjusts an anomaly detection strategy of a particular anomaly detector in the network based on the planned application deployment and on the information regarding anomaly detection models used in the network and the applications associated with the traffic analyzed by the anomaly detection models.

Citations

20 Claims

1. A method, comprising:
- maintaining, by a device in a network, information regarding anomaly detection models used in the network and applications associated with traffic analyzed by the anomaly detection models wherein the device acts as a supervisory and control agent (SCA) device;
  
  receiving, at the device, an indication of a planned application deployment in the network; and
  
  adjusting, by the device, an anomaly detection strategy of a particular anomaly detector of a distributed learning agent (DLA) device in the network prior to deployment of the planned application, wherein the information regarding anomaly detection models used in the network and the applications associated with the traffic analyzed by the anomaly detection models is used by the device to adjust the anomaly detection strategy.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as in claim 1, further comprising:
    - receiving, at the device and from one or more anomaly detectors of one or more DLA devices in the network, the information regarding the anomaly detection models and the applications associated with the traffic analyzed by the anomaly detection models.
  - 3. The method as in claim 1, wherein the indication of the planned application deployment in the network comprises at least one of:
    - an application identifier, data regarding expected traffic changes in the network attributable to the application deployment, or a deployment schedule.
  - 4. The method as in claim 1, wherein adjusting the anomaly detection strategy of the particular anomaly detector comprises:
    - determining, by the device, that the planned application deployment relates to one of the applications associated with the traffic analyzed by a particular anomaly detection model of the anomaly detection models; and
      
      providing, by the device, the particular anomaly detection model to the particular anomaly detector.
  - 5. The method as in claim 1, wherein adjusting the anomaly detection strategy of the particular anomaly detector comprises:
    - determining, by the device, that the planned application deployment does not relate to one of the applications associated with the traffic analyzed by the anomaly detection models; and
      
      instructing, by the device, the particular anomaly detector to prevent anomaly detection alerts from being sent during the application deployment.
  - 6. The method as in claim 5, further comprising:
    - receiving, from the DLA device, a summary of alerts raised by the particular anomaly detector during the application deployment.

7. A method, comprising:
- providing, by an anomaly detector of a distributed learning agent (DLA) device in a network, information regarding one or more anomaly detection models executed by the DLA device and the applications associated with the traffic analyzed by the one or more anomaly detection models;
  
  receiving, at the DLA device from a supervisory and control agent (SCA) device, an indication of a new application to be deployed in the network and an adjusted anomaly detection model, wherein the adjusted anomaly detection model is adjusted by the SCA device based on other anomaly detection models used in the network and applications associated with traffic analyzed by the other anomaly detection models; and
  
  prior to deployment of the planned application, adjusting, by the DLA device, an anomaly detection strategy of the anomaly detector based on the adjusted anomaly detection model.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method as in claim 7, wherein the indication of the new application to be deployed in the network comprises a particular anomaly detection model that analyzes traffic associated with the new application to be deployed.
  - 9. The method as in claim 8, further comprising:
    - merging the one or more anomaly detection models executed by the DLA device with the particular anomaly detection model that analyzes traffic associated with the new application to be deployed, to form a merged anomaly detection model.
  - 10. The method as in claim 9, further comprising:
    - increasing a training rate for the merged anomaly detection model.
  - 11. The method as in claim 7, further comprising:
    - preventing, by the DLA device, anomaly detection alerts from being sent during deployment of the new application.
  - 12. The method as in claim 11, further comprising:
    - summarizing, by the DLA device, anomaly detection alerts generated during deployment of the new application.

13. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the network interfaces and adapted to execute one or more processes to act as a supervisory and control agent (SCA) device for a plurality of distributed learning agent (DLA) devices in the network; and
  
  a memory configured to store a process executable by the processor, the process when executed configured to;
  
  maintain information regarding anomaly detection models used in the network and applications associated with the traffic analyzed by the anomaly detection models;
  
  receive an indication of a planned application deployment in the network; and
  
  adjust an anomaly detection strategy of a particular anomaly detector at a DLA device of the plurality of DLA devices in the network prior to deployment of the planned application, wherein the information regarding anomaly detection models used in the network and the applications associated with the traffic analyzed by the anomaly detection models is used by the DLA device to adjust the anomaly detection strategy.
- View Dependent Claims (14, 15, 16)
- - 14. The apparatus as in claim 13, wherein the apparatus adjusts the anomaly detection strategy of the particular anomaly detector by:
    - determining that the planned application deployment relates to one of the applications associated with the traffic analyzed by a particular anomaly detection model of the anomaly detection models; and
      
      providing the particular anomaly detection model to the particular anomaly detector.
  - 15. The apparatus as in claim 13, wherein the apparatus adjusts the anomaly detection strategy of the particular anomaly detector by:
    - determining that the planned application deployment does not relate to one of the applications associated with the traffic analyzed by the anomaly detection models; and
      
      instructing the particular anomaly detector to prevent anomaly detection alerts from being sent during the application deployment.
  - 16. The apparatus as in claim 13, wherein the indication of the planned application deployment in the network comprises at least one of:
    - an application identifier, data regarding expected traffic changes in the network attributable to the application deployment, or a deployment schedule.

17. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the network interfaces and adapted to execute one or more processes to act as a distributed learning agent (DLA) device in the network; and
  
  a memory configured to store a process executable by the processor, the process when executed configured to;
  
  provide, to a supervisory and control agent (SCA) device, information regarding one or more anomaly detection models executed by the apparatus and applications associated with the traffic analyzed by one or more anomaly detection models of the apparatus;
  
  receive, from the SCA device, an indication of a new application to be deployed in the network and an adjusted anomaly detection model, wherein the adjusted anomaly detection model is adjusted by the SCA device based on other anomaly detection models used in the network and applications associated with traffic analyzed by the other anomaly detection models; and
  
  prior to deployment of the planned application, adjust an anomaly detection strategy of the anomaly detector based on the adjusted anomaly detection model.
- View Dependent Claims (18, 19, 20)
- - 18. The apparatus as in claim 17, wherein the indication of the new application to be deployed in the network comprises a particular anomaly detection model that analyzes traffic associated with the new application to be deployed, and wherein the process when executed is further configured to:
    - merge the one or more anomaly detection models executed by the apparatus with the particular anomaly detection model that analyzes traffic associated with the new application to be deployed, to form a merged anomaly detection model.
  - 19. The apparatus as in claim 17, wherein the process when executed is further configured to:
    - prevent anomaly detection alerts from being sent during deployment of the new application.
  - 20. The apparatus as in claim 17, wherein the process when executed is further configured to:
    - summarize anomaly detection alerts generated during deployment of the new application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Vasseur, Jean-Philippe, Dasgupta, Sukrit, Mermoud, Grgory
Primary Examiner(s)
Gergiso, Techane

Application Number

US14/878,171
Publication Number

US 20170104775A1
Time in Patent Office

894 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/00   Error detection; Error corr...

G06F 8/60   Software deployment

H04L 41/046   comprising network manageme...

H04L 41/142   using statistical or mathem...

H04L 41/145   involving simulating, desig...

H04L 41/16   using machine learning or a...

H04L 43/0817   by checking functioning

H04L 43/0876   Network utilisation, e.g. v...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/34   involving the movement of s...

H04L 69/40   for recovering from a failu...

Anomaly detection supporting new application deployments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Anomaly detection supporting new application deployments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links