公开(公告)号：US20230129786A1

公开(公告)日：2023-04-27

申请号：US18088284

申请日：2022-12-23

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Vincent E. Parla ,  Jan Jusko ,  Martin Grill ,  Martin Vejman

IPC: H04L9/40 ,  G06F21/55 ,  H04L9/32 ,  G06F21/44 ,  G06F21/52

Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.

公开(公告)号：US11108810B2

公开(公告)日：2021-08-31

申请号：US16869726

申请日：2020-05-08

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul ,  Ivan Nikolaev ,  Martin Grill

IPC: H04L29/06 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

公开(公告)号：US20190319976A1

公开(公告)日：2019-10-17

申请号：US16447150

申请日：2019-06-20

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06 ,  H04L9/32

Abstract: In one embodiment, a device in a network receives traffic information regarding one or more secure sessions in the network. The device associates the one or more secure sessions with corresponding certificate validation check traffic indicated by the received traffic information. The device makes a self-signed certificate determination for an endpoint domain of a particular secure session based on whether the particular secure session is associated with certificate validation check traffic. The device causes the self-signed certificate determination for the endpoint domain to be used as input to a malware detector.

公开(公告)号：US20190253435A1

公开(公告)日：2019-08-15

申请号：US15896421

申请日：2018-02-14

Applicant: Cisco Technology, Inc.

Inventor： Lukas Machlica ,  Ivan Nikolaev ,  Karel Bartos ,  Martin Grill

IPC: H04L29/06 ,  G06F21/55 ,  G06F21/56 ,  H04L29/12

CPC classification number: H04L63/145 ,  G06F21/554 ,  G06F21/56 ,  H04L61/1511 ,  H04L63/1425 ,  H04L2463/144

Abstract: In one embodiment, a security device in a computer network detects potential domain generation algorithm (DGA) searching activity using a domain name service (DNS) model to detect abnormally high DNS requests made by a host attempting to locate a command and control (C&C) server in the computer network. The server device also detects potential DGA communications activity based on applying a hostname-based classifier for DGA domains associated with any server internet protocol (IP) address in a data stream from the host. The security device may then correlate the potential DGA searching activity with the potential DGA communications activity, and identifies DGA performing malware based on the correlating, accordingly.

公开(公告)号：US10375097B2

公开(公告)日：2019-08-06

申请号：US15386006

申请日：2016-12-21

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06 ,  H04L9/32

Abstract: In one embodiment, a device in a network receives traffic information regarding one or more secure sessions in the network. The device associates the one or more secure sessions with corresponding certificate validation check traffic indicated by the received traffic information. The device makes a self-signed certificate determination for an endpoint domain of a particular secure session based on whether the particular secure session is associated with certificate validation check traffic. The device causes the self-signed certificate determination for the endpoint domain to be used as input to a malware detector.

公开(公告)号：US20180337831A1

公开(公告)日：2018-11-22

申请号：US15598541

申请日：2017-05-18

Applicant: Cisco Technology, Inc.

Inventor： Martin Grill ,  Jan Kohout ,  Martin Kopp

IPC: H04L12/24 ,  H04L29/08 ,  H04L12/26

CPC classification number: H04L67/02 ,  H04L43/065 ,  H04L63/1425 ,  H04L67/303 ,  H04W12/0027 ,  H04W12/06

Abstract: A computing device having connectivity to a network stores one or more existing device models, where each of the one or more existing device models is a representation of a different client device used by a first authenticated user to access the network. The computing device obtains a device sample, which comprises network traffic data that is captured during a period of time and which is generated by a particular client device associated with the authenticated user of the network. The computing device determines, based on one or more relational criteria, whether the device sample should be assigned to one of the one or more existing device models or to an additional device model that has not yet been created. The computing device then determines relative identity of the particular client device based on whether the device sample is assigned to one of the one or more device models or to an additional device model that has not yet been created.

公开(公告)号：US20210377283A1

公开(公告)日：2021-12-02

申请号：US17395968

申请日：2021-08-06

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul ,  Ivan Nikolaev ,  Martin Grill

IPC: H04L29/06

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

公开(公告)号：US11019095B2

公开(公告)日：2021-05-25

申请号：US16261682

申请日：2019-01-30

Applicant: Cisco Technology, Inc.

Inventor： Martin Grill ,  Lukas Bajer ,  Martin Kopp ,  Jan Kohout

IPC: H04L29/06

Abstract: In one embodiment, a device in a network obtains log data regarding replication of files stored on an endpoint client to a file replication service. The device tracks, based on the obtained logs, encryption changes to the files that convert the files from unencrypted files to encrypted files. The device determines that the tracked encryption changes to the files are indicative of a ransomware infection on the endpoint client. The device initiates a mitigation action regarding the ransomware infection.

公开(公告)号：US10965704B2

公开(公告)日：2021-03-30

申请号：US16447150

申请日：2019-06-20

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06 ,  H04L9/32

Abstract: In one embodiment, a device in a network receives traffic information regarding one or more secure sessions in the network. The device associates the one or more secure sessions with corresponding certificate validation check traffic indicated by the received traffic information. The device makes a self-signed certificate determination for an endpoint domain of a particular secure session based on whether the particular secure session is associated with certificate validation check traffic. The device causes the self-signed certificate determination for the endpoint domain to be used as input to a malware detector.

公开(公告)号：US20210006589A1

公开(公告)日：2021-01-07

申请号：US17029156

申请日：2020-09-23

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L29/06 ,  G06N20/00 ,  H04L12/24 ,  H04L12/851

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.