What technology area does this patent fall under?

Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Dec 03 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 9 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Adaptive capture of packet traces based on user feedback learning

US10498752B2 · US · B2

Patent metadata
Field	Value
Publication number	US-10498752-B2
Application number	US-201615211145-A
Country	US
Kind code	B2
Filing date	Jul 15, 2016
Priority date	Mar 28, 2016
Publication date	Dec 3, 2019
Grant date	Dec 3, 2019

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

In one embodiment, a node in a network detects an anomaly in the network based on a result of a machine learning-based anomaly detector analyzing network traffic. The node determines a packet capture policy for the anomaly by applying a machine learning-based classifier to the result of the anomaly detector. The node selects a set of packets from the analyzed traffic based on the packet capture policy. The node stores the selected set of packets for the detected anomaly.

First claim

Opening claim text (preview).

What is claimed is: 1. A method comprising: detecting, by a node in a network, an anomaly in the network based on a result of a machine learning-based anomaly detector analyzing network traffic; determining, by the node, a packet capture policy for the anomaly by applying a machine learning-based classifier to the result of the anomaly detector, wherein the packet capture policy is adaptive and is updated based on feedback from a user interface, the feedback used to train the machine learning-based classifier; selecting, by the node, a set of packets from the analyzed traffic based on the packet capture policy, wherein the packet capture policy specifies, for machine learning-based classifier applied, which portion of the analyzed traffic is to be stored; and storing, by the node, the selected set of packets for the detected anomaly. 2. The method as in claim 1 , further comprising: receiving, at the node, the classifier from a supervisory device configured to train the classifier. 3. The method as in claim 1 , wherein the selected packets are associated with both anomalous and non-anomalous traffic flows based on the packet capture policy. 4. The method as in claim 1 , wherein the packet capture policy causes the selection of the set of packets based on one or more of: a network address, a traffic type, or a time interval. 5. The method as in claim 1 , further comprising: storing, by the node, a set of captured packets in a first packet buffer for analysis by the anomaly detector, wherein the selected set of packets are selected from the set of captured packets in the first packet buffer. 6. The method as in claim 5 , wherein storing the selected set of packets comprises: transferring, by the node, the selected set of packets from the first packet buffer to a second packet buffer. 7. The method as in claim 1 , wherein determining the packet capture policy comprises: applying, by the node, a plurality of machine learning-based classifiers to the result of the anomaly detector. 8. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to: detect an anomaly in the network based on a result of a machine learning-based anomaly detector analyzing network traffic; determine a packet capture policy for the anomaly by applying a machine learning-based classifier to the result of the anomaly detector, wherein the packet capture policy is adaptive and is updated based on feedback from a user interface, the feedback used to train the machine learning-based classifier; select a set of packets from the analyzed traffic based on the packet capture policy wherein the packet capture policy specifies, for machine learning-based classifier applied, which portion of the analyzed traffic is to be stored; and store the selected set of packets for the detected anomaly. 9. The apparatus as in claim 8 , wherein the process when executed is further operable to: receive the classifier from a supervisory device configured to train the classifier. 10. The apparatus as in claim 8 , wherein the selected packets are associated with both anomalous and non-anomalous traffic flows based on the packet capture policy. 11. The apparatus as in claim 8 , wherein the packet capture policy causes the selection of the set of packets based on one or more of: a network address, a traffic type, or a time interval. 12. The apparatus as in claim 8 , wherein the process when executed is further operable to: store a set of captured packets in a first packet buffer for analysis by the anomaly detector, wherein the selected set of packets are selected from the set of captured packets in the first packet buffer. 13. The apparatus as in claim 12 , wherein the apparatus stores the selected set of packets by: transferring the selected set of packets from the first packet buffer to a second packet buffer. 14. The apparatus as in claim 8 , wherein the apparatus determines the packet capture policy by: applying a plurality of machine learning-based classifiers to the result of the anomaly detector. 15. The apparatus as in claim 8 , wherein the apparatus comprises an edge router. 16. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor on a device in a communication network operable to: detect an anomaly in the network based on a result of a machine learning-based anomaly detector analyzing network traffic; determine a packet capture policy for the anomaly by applying a machine learning-based classifier to the result of the anomaly detector, wherein the packet capture policy is adaptive and is updated based on feedback from a user interface, the feedback used to train the machine learning-based classifier; select a set of packets from the analyzed traffic based on the packet capture policy, wherein the packet capture policy specifies, for machine learning-based classifier applied, which portion of the analyzed traffic is to be stored; and store the selected set of packets for the detected anomaly. 17. The tangible, non-transitory, computer-readable media as in claim 16 , wherein the process when executed is further operable to: receive the classifier from a supervisory device configured to train the classifier. 18. The tangible, non-transitory, computer-readable media as in claim 16 , wherein the selected packets are associated with both anomalous and non-anomalous traffic flows based on the packet capture policy. 19. The tangible, non-transitory, computer-readable media as in claim 16 , wherein the packet capture policy causes the selection of the set of packets based on one or more of: a network address, a traffic type, or a time interval. 20. The tangible, non-transitory, computer-readable media as in claim 16 , wherein the process when executed is further operable to: store a set of captured packets in a first packet buffer for analysis by the anomaly detector, wherein the selected set of packets are selected from the set of captured packets in the first packet buffer.

Assignees

Cisco Tech Inc

Inventors

Classifications

H04L43/024
by adaptive sampling · CPC title
H04L43/062
related to network traffic · CPC title
H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
H04L2463/144
Detection or countermeasures against botnets · CPC title
H04L43/14
using software, i.e. software packages (network security related monitoring H04L63/1408) · CPC title

Patent family

Related publications grouped by family.

View patent family 59898234

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US10498752B2 cover?: In one embodiment, a node in a network detects an anomaly in the network based on a result of a machine learning-based anomaly detector analyzing network traffic. The node determines a packet capture policy for the anomaly by applying a machine learning-based classifier to the result of the anomaly detector. The node selects a set of packets from the analyzed traffic based on the packet capture…
Who is the assignee on this patent?: Cisco Tech Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Dec 03 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 9 related publications on this page (citations in our corpus or others sharing the same primary CPC).