公开(公告)号：US11570091B2

公开(公告)日：2023-01-31

申请号：US17130865

申请日：2020-12-22

Applicant: Cisco Technology, Inc.

Inventor： Kent Leung ,  Jianxin Wang

IPC: H04L45/00 ,  H04L43/026 ,  H04L61/2521 ,  H04L67/59 ,  H04L47/2483 ,  H04L45/745 ,  H04L61/2517 ,  H04L61/2514

Abstract: An extended service-function chain (SFC) proxy is hosted on a network node and connected to a service path formed by one or more network nodes hosting a chain of service-functions applied to packets traversing the service path. The packets each include a service header having a service path identifier and a service index. A packet of a traffic flow destined for a service-function is received from the service path and sent to the service-function. An indication to offload the traffic flow is received from the service-function. The indication is stored in a flow table having entries each identifying a respective traffic flow. A subsequent packet of the traffic flow is received from the service path. The flow table is searched for the indication to offload the traffic flow. Upon finding the indication, the service-function is bypassed, and the subsequent packet is forwarded along the service path.

公开(公告)号：US11483292B2

公开(公告)日：2022-10-25

申请号：US17116111

申请日：2020-12-09

Applicant: Cisco Technology, Inc.

Inventor： Jianxin Wang ,  Prashanth Patil ,  Flemming Andreasen ,  Nancy Cam-Winget ,  Hari Shankar

IPC: H04L9/40

Abstract: Techniques are presented herein for engagement and disengagement of Transport Layer Security proxy services with encrypted handshaking. In one embodiment, a first initial message of a first encrypted handshaking procedure for a first secure communication session between a first device and a second device is intercepted at a proxy device. The first initial message includes first key exchange information for encrypting the first encrypted handshaking procedure. A copy of the first initial message is stored at the proxy device. A second initial message of a second encrypted handshaking procedure for a second secure communication session between the proxy device and the second device is sent from the proxy device to the second device. The second initial message includes second key exchange information for encrypting the second encrypted handshaking procedure. The proxy device determines, based on the second encrypted handshaking procedure, whether to remain engaged or to disengage.

公开(公告)号：US10911409B2

公开(公告)日：2021-02-02

申请号：US15984637

申请日：2018-05-21

Applicant: Cisco Technology, Inc.

Inventor： Jianxin Wang ,  Prashanth Patil ,  Flemming Andreasen ,  Nancy Cam-Winget ,  Hari Shankar

IPC: H04L29/06

Abstract: Techniques are presented herein for engagement and disengagement of Transport Layer Security proxy services with encrypted handshaking. In one embodiment, a first initial message of a first encrypted handshaking procedure for a first secure communication session between a first device and a second device is intercepted at a proxy device. The first initial message includes first key exchange information for encrypting the first encrypted handshaking procedure. A copy of the first initial message is stored at the proxy device. A second initial message of a second encrypted handshaking procedure for a second secure communication session between the proxy device and the second device is sent from the proxy device to the second device. The second initial message includes second key exchange information for encrypting the second encrypted handshaking procedure. The proxy device determines, based on the second encrypted handshaking procedure, whether to remain engaged or to disengage.

公开(公告)号：US20180234453A1

公开(公告)日：2018-08-16

申请号：US15433294

申请日：2017-02-15

Applicant: Cisco Technology, Inc.

Inventor： Meixing Le ,  Jin Teng ,  Soumya Kumar Kalahasti ,  Jianxin Wang

IPC: H04L29/06 ,  H04L29/08 ,  G06N99/00 ,  G06N5/04

CPC classification number: H04L63/1441 ,  G06N20/00 ,  H04L63/10 ,  H04L69/22

Abstract: In one embodiment, a device in a network generates a machine learning-based traffic model using data indicative of a particular node in the network attempting to retrieve content from a particular resource in the network. The device predicts, using the traffic model, a time at which the particular node is expected to attempt retrieving future content from the particular resource. The device causes the future content from the particular resource to be prefetched in the network prior to the predicted time. The device makes a security assessment of the prefetched content. The device causes performance of a mitigation action in the network based on the security assessment of the prefetched content and in response to the particular node attempting to retrieve the future content from the particular resource.

公开(公告)号：US20170317926A1

公开(公告)日：2017-11-02

申请号：US15160804

申请日：2016-05-20

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Reinaldo Penno ,  Carlos M. Pignataro ,  Paul Quinn ,  Hung The Chau ,  Chui-Tin Yen ,  Vivek Kansal ,  Jianxin Wang ,  Kent K. Leung

IPC: H04L12/721 ,  H04L12/703 ,  H04L12/911

CPC classification number: H04L45/36 ,  H04L45/26 ,  H04L45/28 ,  H04L45/64 ,  H04L45/70 ,  H04L47/10 ,  H04L47/2441 ,  H04L47/726 ,  H04L2212/00

Abstract: Embodiments are directed to receiving an original packet at a service function; determining, for a reverse packet, a reverse service path identifier for a previous hop on a service function chain; determining, for the reverse packet, a service index for the reverse service path identifier; and transmitting the reverse packet to the previous hop on the service function chain.

公开(公告)号：US09686081B2

公开(公告)日：2017-06-20

申请号：US14788862

申请日：2015-07-01

Applicant: Cisco Technology, Inc.

Inventor： Jianxin Wang ,  Hari Shankar

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L9/3263 ,  G06F21/00 ,  G06F21/33 ,  G06F21/552 ,  G06F21/577 ,  G06F2221/2135 ,  H04L9/3268 ,  H04L63/0823 ,  H04L63/1416

Abstract: A computer-implemented method is provided to detect a compromised Certificate Authority (CA). Over time reports are received containing data describing certificate authority certificates captured from messages exchanged between clients and servers. These reports may be received by a central computing entity. Metadata and statistics for certificates contained in the reports are stored. It is determined whether a certificate authority has been compromised based on the metadata and statistics.

公开(公告)号：US20250016136A1

公开(公告)日：2025-01-09

申请号：US18621596

申请日：2024-03-29

Applicant: Cisco Technology, Inc.

Inventor： Pradeep Patel ,  Jonathan A. Kunder ,  Ashish K. Dey ,  Andrew E. Ossipov ,  Jianxin Wang

IPC: H04L9/40 ,  G06F16/901 ,  H04L47/2441

Abstract: A first packet of a packet flow is received at a classifying network device. The first packet is forwarded from the classifying network device to a firewall network device. An indication that the packet flow is to be offloaded is received at the classifying network device. Data is stored at the classifying network device indicating that the packet flow is to be offloaded. A non-control packet of the packet flow is received at the classifying network device. A determination is made that the non-control packet belongs to the packet flow by comparing data contained in the non-control packet to the stored data. The non-control packet of the packet flow is directed to a processing entity in response to the determining. A control packet of the packet flow is received at the classifying network device. The control packet of the packet flow is directed to the firewall network device.

公开(公告)号：US11722463B2

公开(公告)日：2023-08-08

申请号：US17833458

申请日：2022-06-06

Applicant: Cisco Technology, Inc.

Inventor： Jianxin Wang ,  Hari Shankar

IPC: H04L9/40 ,  H04L9/08

CPC classification number: H04L63/0428 ,  H04L9/0891 ,  H04L63/0281 ,  H04L63/0464

Abstract: In one embodiment, a network security device is configured to monitor data traffic between a first device and a second device. The network security device may be configured to intercept a first initial message of a first encrypted handshaking procedure for a first secure communication session between the first device and the second device, the first initial message specifying a hostname that has been encrypted using first key information associated with the network security device, decrypt at least a portion of the first initial message using the first key information to determine the hostname, re-encrypt the hostname using second key information associated with the second device, and send, to the second device, a second initial message of a second encrypted handshaking procedure for a second secure communication session between the network security device and the second device, the second initial message specifying the hostname re-encrypted using the second key information.

公开(公告)号：US20210344648A1

公开(公告)日：2021-11-04

申请号：US17374468

申请日：2021-07-13

Applicant: Cisco Technology, Inc.

Inventor： Pradeep Patel ,  Jonathan A. Kunder ,  Ashish K. Dey ,  Andrew E. Ossipov ,  Jianxin Wang

IPC: H04L29/06 ,  G06F16/901 ,  H04L12/851

Abstract: A first packet of a packet flow is received at a classifying network device. The first packet is forwarded from the classifying network device to a firewall network device. An indication that the packet flow is to be offloaded is received at the classifying network device. Data is stored at the classifying network device indicating that the packet flow is to be offloaded. A non-control packet of the packet flow is received at the classifying network device. A determination is made that the non-control packet belongs to the packet flow by comparing data contained in the non-control packet to the stored data. The non-control packet of the packet flow is directed to a processing entity in response to the determining. A control packet of the packet flow is received at the classifying network device. The control packet of the packet flow is directed to the firewall network device.

公开(公告)号：US20210218771A1

公开(公告)日：2021-07-15

申请号：US16741794

申请日：2020-01-14

Applicant: Cisco Technology, Inc.

Inventor： Michel Khouderchah ,  Jayaraman Iyer ,  Kent K. Leung ,  Jianxin Wang ,  Donovan O'Hara ,  Saman Taghavi Zargar ,  Subharthi Paul

IPC: H04L29/06 ,  H04L12/24 ,  H04L29/08

Abstract: Presented herein are methodologies for implementing application security. A method includes generating an extraction vector based on a plurality of application security rules to be enforced, transmitting the extraction vector to a first agent operating on a first network device and to a second agent operating on a second network device; receiving, separately, from the first agent and from the second agent, first metadata generated by the first agent and second metadata generated by the second agent by the agents applying the extraction vector to network traffic passing, respectively, through the first network device and the second network device. The first metadata includes a transaction ID assigned by the first agent, and the second metadata includes the same transaction ID. The method further includes correlating the first metadata with the second metadata based on the transaction ID to construct a transactional service graph for the network traffic.