In-situ trainable intrusion detection system
US-9497204-B2 · Nov 15, 2016 · US
Network-centric visualization of normal and anomalous traffic patterns
US10063578B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10063578-B2 |
| Application number | US-201615092993-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 7, 2016 |
| Priority date | May 28, 2015 |
| Publication date | Aug 28, 2018 |
| Grant date | Aug 28, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In one embodiment, a device in a network analyzes local network data regarding a portion of the network that is local to the device using a first anomaly detection model. The device analyzes the local network data using a second anomaly detection model that was trained in part using remote network data regarding a portion of the network that is remote to the device. The device compares outputs of the first and second anomaly detection models. The device identifies the local network data as peculiar, in response to the first anomaly detection model determining the local network data to be normal and the second anomaly detection model determining the local network data to be anomalous.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: analyzing, by a device in a network, local network data regarding a portion of the network that is local to the device using a first anomaly detection model; analyzing, by the device, the local network data using a second anomaly detection model that was trained in part using remote network data regarding a portion of the network that is remote to the device; comparing, by the device, outputs of the first and second anomaly detection models; identifying, by the device, the local network data as peculiar, in response to the first anomaly detection model determining the local network data to be normal and the second anomaly detection model determining the local network data to be anomalous; mapping, by the device, network metrics derived from the local network data to the output of the first anomaly detection model; scoring, by the device, the network metrics based on the mapping, wherein a score for a particular network metric corresponds to a contribution of the network metric to the output of the first anomaly detection model; and transmitting, by the device, the network metrics and associated scores for display. 2. The method as in claim 1 , further comprising: receiving, at the device, the second anomaly detection model from a supervisory device in the network. 3. The method as in claim 1 , wherein the second anomaly detection model is sent in response to a request from a user interface. 4. The method as in claim 1 , further comprising: providing, by the device, an indication of the local network data having been identified as peculiar for display by a user interface. 5. The method as in claim 1 , wherein the second anomaly detection model was trained using offline records that comprise the remote network data. 6. The method as in claim 1 , wherein the second anomaly detection model was trained by an anomaly detector deployed to the portion of the network that is remote to the device. 7. The method as in claim 1 , wherein the first anomaly detection model is configured to analyze the local network data using unsupervised machine learning. 8. An apparatus, comprising: one or more network interfaces to communicate with an anchorless network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed configured to: analyze local network data regarding a portion of the network that is local to the apparatus using a first anomaly detection model; analyze the local network data using a second anomaly detection model that was trained in part using remote network data regarding a portion of the network that is remote to the apparatus; compare outputs of the first and second anomaly detection models; identify the local network data as peculiar, in response to the first anomaly detection model determining the local network data to be normal and the second anomaly detection model determining the local network data to be anomalous; map network metrics derived from the local network data to the output of the first anomaly detection model; score the network metrics based on the mapping, wherein a score for a particular network metric corresponds to a contribution of the network metric to the output of the first anomaly detection model; and transmit the network metrics and associated scores for display. 9. The apparatus as in claim 8 , wherein the apparatus receives the second anomaly detection model from a supervisory device in the network. 10. The apparatus as in claim 8 , wherein the second anomaly detection model is sent to the apparatus in response to a request from a user interface. 11. The apparatus as in claim 8 , wherein the process when executed is further configured to: provide an indication of the local network data having been identified as peculiar for display by a user interface. 12. The apparatus as in claim 8 , wherein the second anomaly detection model was trained using offline records that comprise the remote network data. 13. The apparatus as in claim 8 , wherein the second anomaly detection model was trained by an anomaly detector deployed to the portion of the network that is remote to the apparatus. 14. The apparatus as in claim 8 , wherein the first anomaly detection model is configured to analyze the local network data using unsupervised machine learning. 15. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor of a device in a network configured to: analyze local network data regarding a portion of the network that is local to the device using a first anomaly detection model; analyze the local network data using a second anomaly detection model that was trained in part using remote network data regarding a portion of the network that is remote to the device; compare outputs of the first and second anomaly detection models; identify the local network data as peculiar, in response to the first anomaly detection model determining the local network data to be normal and the second anomaly detection model determining the local network data to be anomalous; map network metrics derived from the local network data to the output of the first anomaly detection model; score the network metrics based on the mapping, wherein a score for a particular network metric corresponds to a contribution of the network metric to the output of the first anomaly detection model; and transmit the network metrics and associated scores for display. 16. The computer-readable media as in claim 15 , wherein the first anomaly detection model is configured to analyze the local network data using unsupervised machine learning. 17. The computer-readable media as in claim 15 , wherein the second anomaly detection model was trained by an anomaly detector deployed to the portion of the network that is remote to the apparatus. 18. The computer-readable media as in claim 15 , wherein the second anomaly detection model was trained using offline records that comprise the remote network data.
Assignees
Inventors
Classifications
based on web technology, e.g. hypertext transfer protocol [HTTP] · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Event detection, e.g. attack signature detection · CPC title
characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks] (wireless communication networks H04W {; arrangements for dividing the transmission path H04W40/00}) · CPC title
in which an application is distributed across nodes in the network (software deployment G06F8/60; multiprogramming arrangements G06F9/46) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10063578B2 cover?
- In one embodiment, a device in a network analyzes local network data regarding a portion of the network that is local to the device using a first anomaly detection model. The device analyzes the local network data using a second anomaly detection model that was trained in part using remote network data regarding a portion of the network that is remote to the device. The device compares outputs …
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 28 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).