DISTRIBUTED LEARNING IN A COMPUTER NETWORK

US 20150193694A1
Filed: 01/27/2014
Published: 07/09/2015
Est. Priority Date: 01/06/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a network device, a first data set indicative of the statuses of a plurality of network devices when a type of network attack is not present;

receiving a second data set indicative of the statuses of the plurality of network devices when the type of network attack is present, wherein at least one of the plurality simulates the type of network attack by operating as an attacking node;

training a machine learning model using the first and second data set to identify the type of network attack; and

identifying a real network attack using the trained machine learning model.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a first data set is received by a network device that is indicative of the statuses of a plurality of network devices when a type of network attack is not present. A second data set is also received that is indicative of the statuses of the plurality of network devices when the type of network attack is present. At least one of the plurality simulates the type of network attack by operating as an attacking node. A machine learning model is trained using the first and second data set to identify the type of network attack. A real network attack is then identified using the trained machine learning model.

54 Citations

View as Search Results

23 Claims

1. A method comprising:
- receiving, at a network device, a first data set indicative of the statuses of a plurality of network devices when a type of network attack is not present;
  
  receiving a second data set indicative of the statuses of the plurality of network devices when the type of network attack is present, wherein at least one of the plurality simulates the type of network attack by operating as an attacking node;
  
  training a machine learning model using the first and second data set to identify the type of network attack; and
  
  identifying a real network attack using the trained machine learning model.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as in claim 1, wherein the machine learning model is an artificial neural network (ANN).
  - 3. The method as in claim 1, further comprising:
    - sending a request to a network policy engine, to initiate collection of the first or second data set from the plurality of network devices;
      
      receiving an authorization from the network policy engine to begin collection of the first or second data set; and
      
      requesting the first or second data set from the plurality of network devices, in response to receiving the authorization to begin collection of the first or second data set.
  - 4. The method as in claim 3, wherein the authorization comprises a scheduled start time for the collection or a simulated attack type, wherein the first or second data set is requested at the start time.
  - 5. The method as in claim 3, wherein the request to initiate collection of the first or second data set comprises data selected from the group comprising:
    - an estimated time duration for the data collection and an estimated size of the first or second data set.
  - 6. The method as in claim 3, wherein the authorization comprises an instruction to reduce an estimated duration for the collection of the first or second data set.
  - 7. The method as in claim 1, further comprising:
    - sending an instruction to the at least one of the plurality of network devices to simulate the type of network attack.
  - 8. The method as in claim 1, wherein the at least one of the plurality of network devices that simulates the type of network attack is selected randomly.
  - 9. The method as in claim 1, further comprising:
    - notifying a network policy engine that the machine learning model has been trained.
  - 10. The method as in claim 1, further comprising:
    - notifying a network policy engine of the network attack identified using the machine learning model.

11. An apparatus, comprising:
- one or more network interfaces to communicate in a computer network;
  
  a processor coupled to the network interfaces and configured to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  receive a first data set indicative of the statuses of a plurality of network devices when a type of network attack is not present;
  
  receive a second data set indicative of the statuses of the plurality of network devices when the type of network attack is present, wherein at least one of the plurality simulates the type of network attack by operating as an attacking node;
  
  train a machine learning model using the first and second data set to identify the type of network attack; and
  
  identify a real network attack using the trained machine learning model.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The apparatus as in claim 11, wherein the machine learning model is an artificial neural network (ANN).
  - 13. The apparatus as in claim 11, wherein the process when executed is further operable to:
    - send an instruction to the at least one of the plurality of network devices to simulate the type of network attack.
  - 14. The apparatus as in claim 11, wherein the process when executed is further operable to:
    - send a request to a network policy engine, to initiate collection of the first or second data set from the plurality of network devices;
      
      receive an authorization from the network policy engine to begin collection of the first or second data set; and
      
      request the first or second data set from the plurality of network devices, in response to receiving the authorization to begin collection of the first or second data set.
  - 15. The apparatus as in claim 14, wherein the authorization comprises a scheduled start time for the collection, and wherein the first or second data set is requested at the start time.

16. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to:
- receive a first data set indicative of the statuses of a plurality of network devices when a type of network attack is not present;
  
  receive a second data set indicative of the statuses of the plurality of network devices when the type of network attack is present, wherein at least one of the plurality simulates the type of network attack by operating as an attacking node;
  
  train a machine learning model using the first and second data set to identify the type of network attack; and
  
  identify a real network attack using the trained machine learning model.
- View Dependent Claims (17)
- - 17. The computer-readable media as in claim 16, wherein the machine learning model is an artificial neural network (ANN).

18. A method comprising:
- receiving, at a network policy engine, a request to begin collecting a first set of status data from a plurality of network devices corresponding to a type of network attack not being present;
  
  scheduling the collection of the first set of status data;
  
  receiving, at the network policy engine, a request to begin collecting a second set of status data from the plurality of network devices corresponding to at least one of the network devices simulating the type of network attack;
  
  scheduling the collection of the second set of status data; and
  
  receiving a notification that a machine learning model has been trained using the first and second sets of status data.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The method as in claim 18, further comprising:
    - receiving a notification that a network attack was detected using the machine learning model.
  - 20. The method as in claim 18, wherein the request to receive the first or second set of status data comprises an estimated time duration for the collection of the status data.
  - 21. The method as in claim 18, wherein scheduling the collection of the first or second data set comprises:
    - postponing the collection of the first or second data set.
  - 22. The method as in claim 18, wherein scheduling the collection of the first or second data set comprises:
    - authorizing a data collection window that is less than or equal to the estimated time duration for the collection of the status data.

23. An apparatus, comprising:
- one or more network interfaces to communicate in a computer network;
  
  a processor coupled to the network interfaces and configured to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  receive a request to begin collecting a first set of status data from a plurality of network devices corresponding to a type of network attack not being present;
  
  schedule the collection of the first set of status data;
  
  receive a request to begin collecting a second set of status data from the plurality of network devices corresponding to at least one of the network devices simulating the type of network attack;
  
  schedule the collection of the second set of status data; and
  
  receive a notification that a machine learning model has been trained using the first and second sets of status data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Vasseur, Jean-Philippe, Cruz Mota, Javier, Di Pietro, Andrea

Granted Patent

US 9,870,537 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06N 20/00   Machine learning

G06N 3/045   Combinations of networks

G06N 3/08   Learning methods

G06N 3/084   Backpropagation, e.g. using...

H04L 41/142   using statistical or mathem...

H04L 41/16   using machine learning or a...

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

DISTRIBUTED LEARNING IN A COMPUTER NETWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

54 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

DISTRIBUTED LEARNING IN A COMPUTER NETWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links