公开(公告)号：US12088607B2

公开(公告)日：2024-09-10

申请号：US18592137

申请日：2024-02-29

Applicant: Cisco Technology, Inc.

Inventor： Martin Rehak ,  David McGrew ,  Blake Harrell Anderson ,  Scott William Dunlop

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/02 ,  H04L63/0428 ,  H04L63/1425 ,  H04L63/1441 ,  H04L63/20 ,  H04L63/166

Abstract: In one embodiment, a traffic inspection service executed by an intermediary device obtains, from a monitoring agent executed by an endpoint device, keying information for an encrypted traffic session between the endpoint device and a remote entity. The traffic inspection service provides a notification to the monitoring agent that acknowledges receipt of the keying information. The traffic inspection service uses the keying information to decrypt encrypted traffic from the encrypted traffic session. The traffic inspection service applies a policy to the encrypted traffic session between the endpoint device and the remote entity, based on the decrypted traffic from the session.

公开(公告)号：US20240195705A1

公开(公告)日：2024-06-13

申请号：US18583370

申请日：2024-02-21

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Martin Rehak ,  Blake Harrell Anderson ,  Sunil Amin

IPC: H04L41/28 ,  G06F21/55 ,  H04L9/40 ,  H04L67/143 ,  H04W12/12

CPC classification number: H04L41/28 ,  G06F21/55 ,  H04L63/14 ,  H04L63/1425 ,  H04L63/1441 ,  H04W12/12 ,  H04L63/20 ,  H04L67/143

Abstract: In one embodiment, a service receives administration traffic data in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the administration traffic data to determine whether any portion of the administration traffic data is resulting from an administration session involving a trusted administrator. The service flags a first portion of the administration traffic data as authorized when the first portion of the administration traffic data is determined to result from an administration session involving a trusted administrator, and a second portion of the administration traffic data is non-flagged. The service assesses the second portion of the administration traffic data using a machine learning-based traffic classifier to determine whether the second portion of the administration traffic data is malicious.

公开(公告)号：US11916887B2

公开(公告)日：2024-02-27

申请号：US18160820

申请日：2023-01-27

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson

IPC: H04L9/40

CPC classification number: H04L63/0428 ,  H04L63/166

Abstract: According to an embodiment, a method receives one or more messages associated with connecting a client and a first host. At least one of the messages comprises an encrypted portion indicating the first host and at least one of the messages comprises a cleartext portion indicating a second host. The method determines first and second sets of links associated with the first and second host, respectively. The first set is determined based on monitoring a result of connecting the client and the first host. The second set is determined based on observing behavior associated with connecting to the second host. The method detects domain fronting in response to determining, based on comparing the first set of links and the second set of links, that the first host differs from the second host.

公开(公告)号：US20230239319A1

公开(公告)日：2023-07-27

申请号：US18100502

申请日：2023-01-23

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: H04L9/40 ,  G06N20/00 ,  G06N5/04

CPC classification number: H04L63/1458 ,  G06N20/00 ,  G06N5/04 ,  H04L63/0428

Abstract: In one embodiment, a telemetry exporter in a network establishes a tunnel between the telemetry exporter and a traffic analysis service. The telemetry exporter obtains packet copies of a plurality of packets sent between devices via the network. The telemetry exporter forms a set of traffic telemetry data by discarding at least a portion of one or more of the packet copies, based on a filter policy. The telemetry exporter applies compression to the formed set of traffic telemetry data. The telemetry exporter sends, via the tunnel, the compressed set of traffic telemetry data to the traffic analysis service for analysis.

公开(公告)号：US11711336B2

公开(公告)日：2023-07-25

申请号：US17466370

申请日：2021-09-03

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing

IPC: H04L61/4511 ,  H04L9/40 ,  H04L61/4541 ,  H04L67/61 ,  H04L69/22 ,  H04L47/2425

CPC classification number: H04L61/4511 ,  H04L61/4541 ,  H04L63/0428 ,  H04L67/61 ,  H04L47/2433 ,  H04L69/22

Abstract: In one embodiment, a device in a network receives domain name system (DNS) information for a domain. The DNS information includes one or more service tags indicative of one or more services offered by the domain. The device detects an encrypted traffic flow associated with the domain. The device identifies a service associated with the encrypted traffic flow based on the one or more service tags. The device prioritizes the encrypted traffic flow based on the identified service associated with the encrypted traffic flow.

公开(公告)号：US11711308B2

公开(公告)日：2023-07-25

申请号：US17694060

申请日：2022-03-14

Applicant: Cisco Technology, Inc.

Inventor： Michael Joseph Stepanek ,  Costas Kleopa ,  David McGrew ,  Blake Harrell Anderson ,  Saravanan Radhakrishnan

IPC: H04L12/851 ,  H04L47/2441 ,  H04L47/2483 ,  H04L47/25 ,  H04L47/2475 ,  H04L49/35 ,  H04L9/40 ,  H04W12/12 ,  H04W12/122 ,  H04W12/128

CPC classification number: H04L47/2441 ,  H04L47/2475 ,  H04L47/2483 ,  H04L47/25 ,  H04L49/355 ,  H04L63/0254 ,  H04L63/0428 ,  H04L63/1425 ,  H04L63/1458 ,  H04L63/166 ,  H04W12/12 ,  H04W12/122 ,  H04W12/128

Abstract: In one embodiment, a networking device in a network detects an traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.

公开(公告)号：US20230179581A1

公开(公告)日：2023-06-08

申请号：US18160820

申请日：2023-01-27

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson

IPC: H04L9/40

CPC classification number: H04L63/0428 ,  H04L63/166

Abstract: According to an embodiment, a method receives one or more messages associated with connecting a client and a first host. At least one of the messages comprises an encrypted portion indicating the first host and at least one of the messages comprises a cleartext portion indicating a second host. The method determines first and second sets of links associated with the first and second host, respectively. The first set is determined based on monitoring a result of connecting the client and the first host. The second set is determined based on observing behavior associated with connecting to the second host. The method detects domain fronting in response to determining, based on comparing the first set of links and the second set of links, that the first host differs from the second host.

公开(公告)号：US20230146962A1

公开(公告)日：2023-05-11

申请号：US18096143

申请日：2023-01-12

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Daniel G. Wing ,  Blake Harrell Anderson ,  David McGrew

IPC: H04L9/40 ,  G06N20/00

CPC classification number: H04L63/1458 ,  H04L63/1425 ,  G06N20/00 ,  H04L2463/144

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

公开(公告)号：US11582208B1

公开(公告)日：2023-02-14

申请号：US17498392

申请日：2021-10-11

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson

IPC: H04L29/06 ,  H04L9/40

Abstract: According to an embodiment, a method receives one or more messages associated with connecting a client and a first host. At least one of the messages comprises an encrypted portion indicating the first host and at least one of the messages comprises a cleartext portion indicating a second host. The method determines first and second sets of links associated with the first and second host, respectively. The first set is determined based on monitoring a result of connecting the client and the first host. The second set is determined based on observing behavior associated with connecting to the second host. The method detects domain fronting in response to determining, based on comparing the first set of links and the second set of links, that the first host differs from the second host.

公开(公告)号：US11451578B2

公开(公告)日：2022-09-20

申请号：US17029156

申请日：2020-09-23

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L9/40 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441 ,  G06N20/20

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.