公开(公告)号：US10305928B2

公开(公告)日：2019-05-28

申请号：US14820265

申请日：2015-08-06

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Andrew Zawadowskiy ,  Donovan O'Hara ,  Saravanan Radhakrishnan ,  Tomas Pevny ,  Daniel G. Wing

IPC: H04L29/06

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.

公开(公告)号：US20190068362A1

公开(公告)日：2019-02-28

申请号：US15692288

申请日：2017-08-31

Applicant: Cisco Technology, Inc.

Inventor： BLAKE HARRELL ANDERSON ,  Andrew Chi ,  David McGrew ,  Scott William Dunlop

IPC: H04L9/08 ,  H04L29/06 ,  H04W72/04 ,  G06N5/02

Abstract: In one embodiment, an apparatus captures a memory dump of a device in a sandbox environment executing a malware sample. The apparatus identifies a cryptographic key based on a particular data structure in the captured memory dump. The apparatus uses the identified cryptographic key to decrypt encrypted traffic sent by the device. The apparatus labels at least a portion of the decrypted traffic sent by the device as benign. The apparatus trains a machine learning-based traffic classifier based on the at least a portion of the decrypted traffic sent by the device and labeled as benign.

公开(公告)号：US10205641B2

公开(公告)日：2019-02-12

申请号：US14802033

申请日：2015-07-17

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Kenneth S. Beck

IPC: H04L12/26 ,  H04L29/06

Abstract: A method and related apparatus for performing inspection of flows within a software defined network includes identifying a security appliance within a software defined network, identifying candidate traffic flows flowing in the software defined network to be inspected, selecting one of the candidate traffic flows for security inspection, and communicating with a software defined network controller to cause the one of the candidate traffic flows to be redirected towards the security appliance for inspection or to cause the one of the candidate traffic flows to be copied and a resulting copy thereof forwarded to the security appliance for inspection.

公开(公告)号：US10158487B2

公开(公告)日：2018-12-18

申请号：US14800813

申请日：2015-07-16

Applicant: Cisco Technology, Inc.

Inventor： James Anil Pramod Kotwal ,  Christopher Blayne Dreier ,  David Aaron Wyde ,  Kellen Mac Arb ,  David McGrew ,  Scott Fluhrer

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/08

Abstract: A server sends information to a client that allows the client to establish a first key at the client. The server then receives a session ID that has been encrypted using the first key. The first key is then established at the server, which can then decrypt the session ID using the first key. After the server validates the session ID, it determines a second key that is different from the first key. The server then receives the session ID encrypted with the second key, and decrypts the session ID encrypted with the second key.

公开(公告)号：US20180097835A1

公开(公告)日：2018-04-05

申请号：US15285805

申请日：2016-10-05

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing ,  Flemming Andreasen

IPC: H04L29/06 ,  H04L29/12

CPC classification number: H04L63/1441 ,  H04L61/1511 ,  H04L63/0428 ,  H04L63/1408 ,  H04L63/145 ,  H04L63/166

Abstract: In one embodiment, a device in a network captures domain name system (DNS) response data from a DNS response sent by a DNS service to a client in the network. The device captures session data for an encrypted session of the client. The device makes a determination that the encrypted session is malicious by using the captured DNS response data and the captured session data as input to a machine learning-based or rule-based classifier. The device performs a mediation action in response to the determination that the encrypted session is malicious.

公开(公告)号：US09699202B2

公开(公告)日：2017-07-04

申请号：US14717127

申请日：2015-05-20

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Titouan Rigoudy

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  H04L63/1425 ,  H04L63/1483

Abstract: In an embodiment, a central computer performs a data processing method. The central computer receives telemetry data from intrusion sensors. The central computer stores authentication records in a hosts database. Each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer. The central computer receives a suspect record that was sent by a first intrusion sensor. The suspect record has a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender. From the hosts database, the central computer searches for a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record. The central computer generates an intrusion alert when no matching record is found.

公开(公告)号：US09288186B2

公开(公告)日：2016-03-15

申请号：US13909735

申请日：2013-06-04

Applicant: CISCO Technology, Inc.

Inventor： David McGrew

IPC: H04L29/06

CPC classification number: H04L63/0245

Abstract: In one embodiment, a method includes receiving from a secure device, an encrypted rule at a first network device, receiving at the first network device, a packet containing at least one encrypted subfield from a second network device, the subfield encrypted based on a key received at the second network device from the secure device, and determining if the encrypted subfield matches the encrypted rule. An apparatus and logic are also disclosed herein.

Abstract translation: 在一个实施例中，一种方法包括从安全设备接收第一网络设备的加密规则，在第一网络设备处接收包含来自第二网络设备的至少一个加密子场的分组，基于密钥加密的子域 在所述第二网络设备处从所述安全设备接收，以及确定所述加密的子字段是否匹配所述加密的规则。 本文还公开了一种装置和逻辑。

公开(公告)号：US20150067337A1

公开(公告)日：2015-03-05

申请号：US14532131

申请日：2014-11-04

Applicant: Cisco Technology, Inc.

Inventor： Kunal Patel ,  Yixin Sun ,  Puneet Gupta ,  Vinod Arjun ,  David McGrew

IPC: H04L29/06

CPC classification number: H04L63/0823 ,  H04L9/321 ,  H04L9/3263 ,  H04L63/0428 ,  H04L63/0435 ,  H04L63/061 ,  H04L63/164

Abstract: Techniques are provided for obtaining first and second digital certificates from a certificate authority database for establishing a secure exchange between network devices. The first digital certificate contains identity information of a first network device, and the second digital certificate contains classification information of the first network device. In one embodiment, a secure key exchange is initiated with the second network device, and the first and second digital certificates are transmitted as a part of the secure key exchange to the second network device. In another embodiment, the first and second digital certificates are received by an intermediate network device. The first digital certificate is encrypted and is not evaluated by the intermediate network device. The second digital certificate is evaluated for classification information of the first network device. Source information associated with the first network device is stored, and encrypted traffic is processed between the network devices.

Abstract translation: 提供了用于从证书机构数据库获得第一和第二数字证书以建立网络设备之间的安全交换的技术。 第一数字证书包含第一网络设备的身份信息，第二数字证书包含第一网络设备的分类信息。 在一个实施例中，与第二网络设备一起发起安全密钥交换，并且将第一和第二数字证书作为安全密钥交换的一部分被发送到第二网络设备。 在另一个实施例中，第一和第二数字证书由中间网络设备接收。 第一个数字证书是加密的，不被中间网络设备评估。 对第一个网络设备的分类信息进行第二个数字证书的评估。 存储与第一网络设备相关联的源信息，并且在网络设备之间处理加密流量。

公开(公告)号：US20240348645A1

公开(公告)日：2024-10-17

申请号：US18417256

申请日：2024-01-19

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul ,  Ivan Nikolaev ,  Martin Grill

IPC: H04L9/40 ,  G06N20/00

CPC classification number: H04L63/145 ,  H04L63/0428 ,  H04L63/1408 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

公开(公告)号：US20240305539A1

公开(公告)日：2024-09-12

申请号：US18668697

申请日：2024-05-20

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Martin Rehak ,  Blake Harrell Anderson ,  Sunil Amin

IPC: H04L41/28 ,  G06F21/55 ,  H04L9/40 ,  H04L67/143 ,  H04W12/12

CPC classification number: H04L41/28 ,  G06F21/55 ,  H04L63/14 ,  H04L63/1425 ,  H04L63/1441 ,  H04W12/12 ,  H04L63/20 ,  H04L67/143

Abstract: In one embodiment, a service receives administration traffic data in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the administration traffic data to determine whether any portion of the administration traffic data is resulting from an administration session involving a trusted administrator. The service flags a first portion of the administration traffic data as authorized when the first portion of the administration traffic data is determined to result from an administration session involving a trusted administrator, and a second portion of the administration traffic data is non-flagged. The service assesses the second portion of the administration traffic data using a machine learning-based traffic classifier to determine whether the second portion of the administration traffic data is malicious.