US 11,985,043 B2
Automated classification of network devices to protection groups
Sean O'Hara, Ypsilanti, MI (US); Kyle Barkmeier, Ypsilanti, MI (US); Alan Saqui, Ann Arbor, MI (US); Brantleigh Bunting, Toledo, OH (US); and Bryan Beecher, Ann Arbor, MI (US)
Assigned to Arbor Networks, Inc., Westford, MA (US)
Filed by Arbor Networks, Inc., Westford, MA (US)
Filed on Jul. 10, 2020, as Appl. No. 16/926,322.
Claims priority of provisional application 63/006,297, filed on Apr. 7, 2020.
Prior Publication US 2021/0314296 A1, Oct. 7, 2021
Int. Cl. H04L 41/16 (2022.01); G06F 18/214 (2023.01); G06N 7/01 (2023.01); G06N 20/00 (2019.01); H04L 9/40 (2022.01); H04L 41/142 (2022.01); H04L 47/2441 (2022.01)
CPC H04L 41/16 (2013.01) [G06F 18/214 (2023.01); G06N 7/01 (2023.01); G06N 20/00 (2019.01); H04L 41/142 (2013.01); H04L 47/2441 (2013.01); H04L 63/0236 (2013.01); H04L 63/104 (2013.01); H04L 63/105 (2013.01); H04L 63/306 (2013.01)] 23 Claims
OG exemplary drawing
 
1. A method for interactive configuration of protection groupings for IP addresses of protected network hosts, the method comprising:
receiving a collection of one or more protection groups that are classification possibilities for received IP addresses of protected network hosts;
receiving a collection of n-tuples, each n-tuple including an IP address of a protected network host and probabilities associated with respective protection groups of the collection of the one or more protection groups, wherein each probability of the probabilities associated with each of the respective protection groups represents a probability that the protection group is an appropriate classification for the IP address, and wherein the probability associated with a first protection group of the one or more protection groups is determined by:
receiving, from a plurality of Machine Learning (ML) models, classifications for the first protection group generated by the plurality of ML models;
determining, responsive to receiving the classifications, a number of ML models of the plurality of ML models that output a classification of the classifications for the first protection group;
determining a first score for the probability associated with the first protection group based on the number of ML models of the plurality of ML models that output the classification for the first protection group; and
updating, based on real-time network data, the first score for the probability associated with the first protection group;
for each n-tuple, of the collection of n-tuples:
determining a map key that includes protection groups from the collection of the one or more protection groups that have respective probabilities of the probabilities that meets a predetermined threshold; and
storing in a classification map the IP address in association with the map key;
for each unique map key in the classification map, creating an aggregated group of respective protection groups of the one or more protection groups for one or more IP addresses that are stored in association with the map key;
selecting and providing for display the aggregated group based on the probabilities associated with the respective protection groups corresponding to the one or more IP addresses associated with the map key; and
providing for display at least one interactive graphical element in association with the aggregated group selected for display, wherein user activation of one of the at least one interactive graphical element accepts assignment of the one or more IP addresses included in the aggregated group to a selected protection group of the one or more protection groups included in the aggregated group.