Automatic generation of training data for anomaly detection using other user's data samples
US-2017061322-A1 · Mar 2, 2017 · US
Cold start mechanism to prevent compromise of automatic anomaly detection systems
US9838409B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9838409-B2 |
| Application number | US-201514878145-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 8, 2015 |
| Priority date | Oct 8, 2015 |
| Publication date | Dec 5, 2017 |
| Grant date | Dec 5, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In one embodiment, a device in a network analyzes data indicative of a behavior of a network using a supervised anomaly detection model. The device determines whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data. The device trains an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervised anomaly detection model.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: analyzing, by a device in a network, data indicative of a behavior of the network using a supervised anomaly detection model, wherein the supervised anomaly detection model was trained using a set of labels applied to a set of input network metrics from a second network; determining, by the device, whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data; and training, by the device, an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervised anomaly detection model, wherein training the unsupervised anomaly detection model comprises: observing, by the device, network behavior, in response to the determination that no anomalies were detected by the supervised anomaly detection model, and using the observed network behavior of the network as a non-anomalous baseline for the unsupervised anomaly detection model. 2. The method as in claim 1 , further comprising: determining, by the device, that the supervised anomaly detection model has detected an anomaly in the network. 3. The method as in claim 2 , further comprising: suspending, by the device, training of the unsupervised anomaly detection model, in response to determining that the supervised anomaly detection model has detected an anomaly in the network. 4. The method as in claim 2 , further comprising: providing, by the device, an indication of the detected anomaly to a supervisory system in the network, wherein the supervisory system is configured to verify the detected anomaly. 5. The method as in claim 4 , wherein the supervisory system verifies the detected anomaly based on input data received from a user interface. 6. The method as in claim 4 , further comprising: receiving, at the device, an update to the supervised anomaly detection model, wherein the update is based on a retraining of the supervised anomaly detection model to account for the detected anomaly. 7. The method as in claim 2 , further comprising: comparing, by the device, the detected anomaly to a library of allowed anomalies. 8. The method as in claim 7 , further comprising: suppressing, by the device, generation of an alert, based on a determination that the detected anomaly is in the library of allowed anomalies. 9. The method as in claim 7 , further comprising: providing, by the device, an indication of the detected anomaly with contextual information to a supervisory system in the network, based on a determination that the detected anomaly is in the library of allowed anomalies. 10. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and adapted to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed configured to: analyze data indicative of a behavior of the network using a supervised anomaly detection model, wherein the supervised anomaly detection model was trained using a set of labels applied to a set of input network metrics from a second network; determine whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data; and train an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervised anomaly detection model, wherein training the unsupervised anomaly detection model comprises: observing, by the device, network behavior, in response to the determination that no anomalies were detected by the supervised anomaly detection model, and using the observed network behavior of the network as a non-anomalous baseline for the unsupervised anomaly detection model. 11. The apparatus as in claim 10 , wherein the process when executed is further configured to determine that the supervised anomaly detection model has detected an anomaly in the network. 12. The apparatus as in claim 11 , wherein the process when executed is further configured to provide an indication of the detected anomaly to a supervisory system in the network, wherein the supervisory system is configured to verify the detected anomaly. 13. The apparatus as in claim 12 , wherein the process when executed is further configured to suspend training of the unsupervised anomaly detection model, in response to receiving an instruction from the supervisory system, after providing the indication of the detected anomaly to the supervisory system. 14. The apparatus as in claim 12 , wherein the process when executed is further configured to receive an update to the supervised anomaly detection model, wherein the update is based on a retraining of the supervised anomaly detection model to account for the detected anomaly. 15. The apparatus as in claim 11 , wherein the process when executed is further configured to compare the detected anomaly to a library of allowed anomalies. 16. The apparatus as in claim 15 , wherein the process when executed is further configured to suppress generation of an alert, based on a determination that the detected anomaly is in the library of allowed anomalies. 17. The apparatus as in claim 15 , wherein the process when executed is further configured to provide an indication of the detected anomaly with contextual information to a supervisory system in the network, based on a determination that the detected anomaly is in the library of allowed anomalies. 18. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor configured to: analyze data indicative of a behavior of a network using a supervised anomaly detection model, wherein the supervised anomaly detection model was trained using a set of labels applied to a set of input network metrics from a second network; determine whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data; and train an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervised anomaly detection model, wherein training the unsupervised anomaly detection model comprises: observing, by the device, network behavior, in response to the determination that no anomalies were detected by the supervised anomaly detection model, and using the observed network behavior of the network as a non-anomalous baseline for the unsupervised anomaly detection model.
Assignees
Inventors
Classifications
- H04L63/1425Primary
Traffic logging, e.g. anomaly detection · CPC title
Denial of Service · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9838409B2 cover?
- In one embodiment, a device in a network analyzes data indicative of a behavior of a network using a supervised anomaly detection model. The device determines whether the supervised anomaly detection model detected an anomaly in the network from the analyzed data. The device trains an unsupervised anomaly detection model, based on a determination that no anomalies were detected by the supervise…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 05 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).