Cache based on dynamic device clustering
US-10069689-B1 · Sep 4, 2018 · US
Self organizing learning topologies
US11240259B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11240259-B2 |
| Application number | US-201916508398-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 11, 2019 |
| Priority date | Mar 25, 2016 |
| Publication date | Feb 1, 2022 |
| Grant date | Feb 1, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In one embodiment, a networking device at an edge of a network generates a first set of feature vectors using information regarding one or more characteristics of host devices in the network. The networking device forms the host devices into device clusters dynamically based on the first set of feature vectors. The networking device generates a second set of feature vectors using information regarding traffic associated with the device clusters. The networking device models interactions between the device clusters using a plurality of anomaly detection models that are based on the second set of feature vectors.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: receiving, at a device, a plurality of edge identifiers for a plurality of edges, wherein a particular edge represents an interaction between two or more device clusters formed by one or more routers, each device cluster comprising a plurality of host devices having similar characteristics; selecting, by the device, a set of edges from among the plurality of edges that are expected to exhibit similar behaviors; correlating, by the device, received information regarding anomaly detection models associated with the selected set of edges, to determine a measure of confidence in the anomaly detection models associated with the selected set of edges based on an assessment of how similar the anomaly detection models are to each another; providing, by the device, a notification that comprises the measure of confidence; and providing, by the device, a clustering policy to the one or more routers, wherein the one or more routers are configured to form the device clusters based on the provided clustering policy. 2. The method as in claim 1 , further comprising: requesting, by the device, the edge identifiers from a plurality of routers configured to form the device clusters. 3. The method as in claim 1 , wherein correlating the received information regarding the anomaly detection models associated with the selected set of edges comprises: determining, by the device, the measure of confidence in the anomaly detection models based on a comparison between an average centroid distance of the models to an average center of the models. 4. The method as in claim 3 , further comprising: identifying, by the device, a particular one of the anomaly detection models as anomalous based on a comparison between a centroid distance of the particular model to the average center of the models. 5. The method as in claim 4 , wherein the notification identifies the particular anomaly detection model as anomalous. 6. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to: receive a plurality of edge identifiers for a plurality of edges, wherein a particular edge represents an interaction between two or more device clusters formed by one or more routers, each device cluster comprising a plurality of host devices having similar characteristics; select a set of edges from among the plurality of edges that are expected to exhibit similar behaviors; correlate received information regarding anomaly detection models associated with the selected set of edges, to determine a measure of confidence in the anomaly detection models associated with the selected set of edges based on an assessment of how similar the anomaly detection models are to each another; provide a notification that comprises the measure of confidence; and provide a clustering policy to the one or more routers, wherein the one or more routers are configured to form the device clusters based on the provided clustering policy. 7. The apparatus as in claim 6 , the process is further operable to: request the edge identifiers from a plurality of routers configured to form the device clusters. 8. The apparatus as in claim 6 , wherein the process is operable to correlate the received information regarding the anomaly detection models associated with the selected set of edges by: determining the measure of confidence in the anomaly detection models based on a comparison between an average centroid distance of the models to an average center of the models. 9. The apparatus as in claim 8 , the process further operable to: identify a particular one of the anomaly detection models as anomalous based on a comparison between a centroid distance of the particular model to the average center of the models. 10. The apparatus as in claim 9 , wherein the notification identifies the particular anomaly detection model as anomalous. 11. A tangible, non-transitory, computer-readable medium storing program instructions that, when executed by a device in a network perform a process comprising: receiving, at a device, a plurality of edge identifiers for a plurality of edges, wherein a particular edge represents an interaction between two or more device clusters formed by one or more routers, each device cluster comprising a plurality of host devices having similar characteristics; selecting, by the device, a set of edges from among the plurality of edges that are expected to exhibit similar behaviors; correlating, by the device, received information regarding anomaly detection models associated with the selected set of edges, to determine a measure of confidence in the anomaly detection models associated with the selected set of edges based on an assessment of how similar the anomaly detection models are to each another; providing, by the device, a notification that comprises the measure of confidence; and providing, by the device, a clustering policy to the one or more routers, wherein the one or more routers are configured to form the device clusters based on the provided clustering policy. 12. The tangible, non-transitory, computer-readable medium as in claim 11 , the process further comprising: requesting, by the device, the edge identifiers from a plurality of routers configured to form the device clusters. 13. The tangible, non-transitory, computer-readable medium as in 11 , wherein correlating, by the device, the received information regarding the anomaly detection models associated with the selected set of edges by: determining, by the device, the measure of confidence in the anomaly detection models based on a comparison between an average centroid distance of the models to an average center of the models. 14. The tangible, non-transitory, computer-readable medium as in claim 13 , the process further comprising: identifying, by the device, a particular one of the anomaly detection models as anomalous based on a comparison between a centroid distance of the particular model to the average center of the models. 15. The tangible, non-transitory, computer-readable medium as in claim 14 , wherein the notification identifies the particular anomaly detection model as anomalous.
Assignees
Inventors
Classifications
Discovery or management of network topologies · CPC title
for prediction of maintenance · CPC title
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis · CPC title
Denial of Service · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11240259B2 cover?
- In one embodiment, a networking device at an edge of a network generates a first set of feature vectors using information regarding one or more characteristics of host devices in the network. The networking device forms the host devices into device clusters dynamically based on the first set of feature vectors. The networking device generates a second set of feature vectors using information re…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 01 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).