How Cisco is Using AI and ML to Create a New Era of Networking Solutions

Before we describe the “How” let’s start with the “What” and define what is Artificial Intelligence (AI) and Machine Learning (ML) mean, because these two terms are commonly used interchangeably, while they are not referring to the exact same thing.

In simple words AI refers to the wider concept of machines ability to relatively mimic human behavior or abilities to perform tasks or make decisions. Why relatively because, there is no way today or even soon that you would expect a machine will perform a task and have understanding why it’s really doing this or will have any emotions associated with any of the tasks. This is simply what differentiate us as human from machines.

On the other hand, ML you can think of as a subset of AI techniques, where the machines access or receive data and then use statistical algorithms to enable them machines to learn from data and provide output that cloud be a price perdition of new house, based the size and price of houses in the same area, or classify new email as either spam or not etc. technically these map to two different ML models ( regression and classification), nevertheless, ML models or types is outside the scope of this blog.

Based on the above definitions, it is obvious AI and ML are not analogous terms, in which can be used interchangeably. Artificial intelligence is a broader concept than machine learning, when machines perform tasks based on algorithms in an “intelligent” manner, that is AI.

Similarly, deep learning is a subset of machine learning, the key technical difference is that with a typical ML algorithm you may get an inaccurate prediction, then an engineer or data scientist needs to step in and make adjustments. But with a deep learning model, the algorithms can determine on their own if a prediction is accurate or not. Deep learning model is designed to continually analyze data with a logic structure similar to how a human may draw conclusions, using a multi-layer structure of algorithms commonly referred to as artificial neural network (ANN). ANN was inspired by the biological neural network of the human brain. Which makes it more capable than that of typical machine learning.

Now we described briefly the “What”, before we move to the “How”, lets understand the “why”, which is the need, and why today not 10 or 20 years ago?

10 or 20 years ago, the focus was almost always on connectivity and how to connect the enterprises, businesses and the world.  Today, as we are moving more and more into the digital age, we are no longer only concerned with connectivity, IT must provide a platform that is capable to offer a foundation for innovation, agility and that does not compromise, but optimize its security capabilities and inelegance.

This is typically driven from the changing needs and nature of the networks, for instance, networks are not going to deal with human scale. Instated, it has to be capable enough to consider IoT scale, which means considering people, devices and things such as wearable technologies.

The key enabling factor to the digital era, is the data. For instance, IoT value comes from leveraging machine generated Data for business benefit, where companies can
derive value from data. At the same time such scale (IoT scale) means, the attack surface is increasing dramatically which will introduce high security risk, where traditional security preventive approaches won’t be sufficient here with such scale.

As mentioned above, a decade ago the networking focus was mainly about connectivity and how to move the data or a packet from point A to point B.

Today, the expectations are changing, businesses need to have more insight. And this can be even more complex with the adoption of hybrid and multi-cloud strategies.

That’s why Cisco leveraging the core of the digital era which is, the network where all the data is transported, to provide better insight as well as employ some AI and ML capabilities to offer more visibility, security and help organizations to proactively optimize where needed.

Let’s see “How” by looking at couple of examples from Cisco solutions, that employ AI and ML to provide better insight rather than providing only basic connectivity and blindly moving packets.

Encrypted Traffic Analytics ETA

Although, encryption technologies have enabled much greater privacy and security for enterprises that use the Internet to communicate and transact business online, today Threat actors are taking advantage of encryption technologies to evade detection and to secure their malicious activities. The classical way to have visibility over encrypted traffic, is by using decryption technologies/appliances to decrypt and encrypt, and this can be very difficult to scale today as we are moving to the digital era with more connected devices/IoT etc. in addition, Gartner predicts that by 2019, 80 percent of web traffic will be encrypted!

So, how does Cisco ETA overcome this challenge? How does it know the difference in known malware traffic and known benign traffic without decrypting? Cisco has built a model to train ML algorithms to detect malware in encrypted traffic.

Encrypted Traffic Analytics focuses on identifying malware communications in encrypted traffic through passive monitoring, the extraction of relevant data elements and supervised machine learning with cloudbased global visibility. Encrypted Traffic Analytics extracts four main data elements: the sequence of packet lengths and times, the byte distribution, TLS-specific features and the initial data packet. Cisco’s unique Application-Specific Integrated Circuit (ASIC) architecture provides the ability to extract these data elements without slowing down the data network. So instead of decrypting traffic, Stealthwatch uses machine learning algorithms to pinpoint malicious patterns in encrypted traffic that ultimately lead to identifying threats and optimizes the overall incident response

As we know, with ML the more data you provide, the better and more accurate the outcomes will be. Similarly, with ETA ML engine, the more and more traffic flows it sees, the better and more precise it will be. Cisco typically, sees tons of data and that’s why this is going to continue to get better, and adopt with the environments.

For more info:

Cisco DNA Assurance

As we are entering the digital era, managing network operations manually is becoming increasingly challenging and untenable for IT departments for instance, troubleshooting network, client, or application issues is a complex task, that typically may involve tens or a hundred points of failure between the user and the application (end-to-end), and at scale this won’t provide the desired or expected experience of the digital era.

Cisco DNA is built on the principles of Design Thinking, A critical tenet of Design Thinking is that user experience is even more important than technology. Cisco DNA Assurance monitors the health of clients, network devices, and applications running on the enterprise network. It also expedites the troubleshooting process by leveraging contextual correlation to identify root causes, and then integrates with the automation platform to expedite prescriptive remediation. Cisco DNA Center Assurance, pulls data from several data sources e.g. netflow, ISE, etc. then aggregate this information into a complex correlation engine and pick up patterns that construct a growing knowledge base.

Therefore, here the task is beyond comparing bad malware to raw network traffic, it’s comparing raw network traffic to good raw network traffic based on a specific outcome you want to get to (which is productivity or performance.). Also, machine learning algorithms can complement traditional analytics engines in searching for and identifying previously unknown correlations and causations. When patterns indicating correlation are identified, AI can search for similar patterns to identify root causes

This allows us to build correlated insights that help IT take action on the most common issues, and with guided remediation, your customers can improve their network performance and user experience. Then the goal is to build a continuous loop that helps self-optimize. The ML techniques used to optimize the analytics engines are based on: Cognitive analytics, Predictive analytics and Trending analytics

For instance, Cognitive analytics focus on extracting the behavioral patterns to identify causation, then the cognitive analytics can extend into the realm of predictive analytics, where the system will be able to foreseeing imminent issues before they happen, in which IT team can take data-driven actions to prevent such issues from ever occurring. In contrast, the Trending analytics helps IT operations team to look into the “what-if” scenarios, that which are outside the typical ones, for planning or change purposes.

For more info:

Cisco Tetration

The Cisco Tetration platform provides a ready to use solution using unsupervised machine learning and a behavior-based algorithmic approach. Cisco Tetration collects telemetry directly hardware and software sensors, put these in data lake and use and analyzes it using big-data analytics and machine learning, to train the ML engine algorithms to baseline process behavior and detect any anomalies. With the unsupervised ML Tetration generate a whitelist policy, based on application behavior, where Tetration acts like a whitelist policy recommendation engine (machine-generated policy) based on application behavior.

Also, Tetration collects and baselines the process details running on host servers. This information includes process ID, process parameters, the user associated with it, process start time, and process hash (signature) information. ML algorithms track behavior pattern changes and find similarities to malware behavior patterns, for example, a privilege escalation followed by a shell code execution. These capabilities can be extended to the cloud.

Again, like other ML based solutions we described ealier, the more colorful and diverse data we get, the ML gets better and provides deeper insights. As result, Tetration ML engine will continue to get better with the Cisco AnyConnect NVM integration for end-point behavior insights and Talos integration for advanced threat detection.

There are other Cisco solutions not covered in the blog, that you can find out more about. For instance, To help safeguard organizations in a constantly changing threat landscape, Cisco is using AI and ML to support comprehensive, automated, coordinated responses between various security components, example solutions: Umbrella, Talos, Cloudlock, Cognitive Threat Analytics, Stealthwatch, Advanced Malware Protection.

A good place to start with go to Cisco Artificial Intelligence

Marwan Al-shawi – CCDE No. 20130066, Google Cloud Certified Architect, AWS Certified Solutions Architect, Cisco Press author (author of the Top Cisco Certifications’ Design Books “CCDE Study Guide and the upcoming CCDP Arch 4th Edition”). He is Experienced Technical Architect. Marwan has been in the networking industry for more than 12 years and has been involved in architecting, designing, and implementing various large-scale networks, some of which are global service provider-grade networks. Marwan holds a Master of Science degree in internetworking from the University of Technology, Sydney. Marwan enjoys helping and assessing others, Therefore, he was selected as a Cisco Designated VIP by the Cisco Support Community (CSC) (official Cisco Systems forums) in 2012, and by the Solutions and Architectures subcommunity in 2014. In addition, Marwan was selected as a member of the Cisco Champions program in 2015 and 2016.