-
公开(公告)号:US11916887B2
公开(公告)日:2024-02-27
申请号:US18160820
申请日:2023-01-27
IPC分类号: H04L9/40
CPC分类号: H04L63/0428 , H04L63/166
摘要: According to an embodiment, a method receives one or more messages associated with connecting a client and a first host. At least one of the messages comprises an encrypted portion indicating the first host and at least one of the messages comprises a cleartext portion indicating a second host. The method determines first and second sets of links associated with the first and second host, respectively. The first set is determined based on monitoring a result of connecting the client and the first host. The second set is determined based on observing behavior associated with connecting to the second host. The method detects domain fronting in response to determining, based on comparing the first set of links and the second set of links, that the first host differs from the second host.
-
公开(公告)号:US11800260B2
公开(公告)日:2023-10-24
申请号:US17154053
申请日:2021-01-21
CPC分类号: H04Q9/02 , H04L9/3066 , H04L63/0428 , H04L63/166 , H04Q9/00 , H04L63/0823 , H04Q2209/30
摘要: In one embodiment, a method includes receiving a traffic flow including a plurality of packets encrypted using a cryptographic protocol, determining cryptographic protocol data of the traffic flow, and transmitting telemetry data of the traffic flow including the cryptographic protocol data. In another embodiment, a method includes receiving telemetry data of a traffic flow including a plurality of packets encrypted using a cryptographic protocol, the telemetry data including cryptographic protocol data of the traffic flow, classifying the traffic flow based on the cryptographic protocol data using a machine learning classifier; and taking a remedial action with respect to the traffic flow based on the classification of the traffic flow.
-
公开(公告)号:US20230239319A1
公开(公告)日:2023-07-27
申请号:US18100502
申请日:2023-01-23
CPC分类号: H04L63/1458 , G06N20/00 , G06N5/04 , H04L63/0428
摘要: In one embodiment, a telemetry exporter in a network establishes a tunnel between the telemetry exporter and a traffic analysis service. The telemetry exporter obtains packet copies of a plurality of packets sent between devices via the network. The telemetry exporter forms a set of traffic telemetry data by discarding at least a portion of one or more of the packet copies, based on a filter policy. The telemetry exporter applies compression to the formed set of traffic telemetry data. The telemetry exporter sends, via the tunnel, the compressed set of traffic telemetry data to the traffic analysis service for analysis.
-
公开(公告)号:US11711336B2
公开(公告)日:2023-07-25
申请号:US17466370
申请日:2021-09-03
IPC分类号: H04L61/4511 , H04L9/40 , H04L61/4541 , H04L67/61 , H04L69/22 , H04L47/2425
CPC分类号: H04L61/4511 , H04L61/4541 , H04L63/0428 , H04L67/61 , H04L47/2433 , H04L69/22
摘要: In one embodiment, a device in a network receives domain name system (DNS) information for a domain. The DNS information includes one or more service tags indicative of one or more services offered by the domain. The device detects an encrypted traffic flow associated with the domain. The device identifies a service associated with the encrypted traffic flow based on the one or more service tags. The device prioritizes the encrypted traffic flow based on the identified service associated with the encrypted traffic flow.
-
公开(公告)号:US11711308B2
公开(公告)日:2023-07-25
申请号:US17694060
申请日:2022-03-14
发明人: Michael Joseph Stepanek , Costas Kleopa , David McGrew , Blake Harrell Anderson , Saravanan Radhakrishnan
IPC分类号: H04L12/851 , H04L47/2441 , H04L47/2483 , H04L47/25 , H04L47/2475 , H04L49/35 , H04L9/40 , H04W12/12 , H04W12/122 , H04W12/128
CPC分类号: H04L47/2441 , H04L47/2475 , H04L47/2483 , H04L47/25 , H04L49/355 , H04L63/0254 , H04L63/0428 , H04L63/1425 , H04L63/1458 , H04L63/166 , H04W12/12 , H04W12/122 , H04W12/128
摘要: In one embodiment, a networking device in a network detects an traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.
-
公开(公告)号:US20230179581A1
公开(公告)日:2023-06-08
申请号:US18160820
申请日:2023-01-27
IPC分类号: H04L9/40
CPC分类号: H04L63/0428 , H04L63/166
摘要: According to an embodiment, a method receives one or more messages associated with connecting a client and a first host. At least one of the messages comprises an encrypted portion indicating the first host and at least one of the messages comprises a cleartext portion indicating a second host. The method determines first and second sets of links associated with the first and second host, respectively. The first set is determined based on monitoring a result of connecting the client and the first host. The second set is determined based on observing behavior associated with connecting to the second host. The method detects domain fronting in response to determining, based on comparing the first set of links and the second set of links, that the first host differs from the second host.
-
公开(公告)号:US20230146962A1
公开(公告)日:2023-05-11
申请号:US18096143
申请日:2023-01-12
CPC分类号: H04L63/1458 , H04L63/1425 , G06N20/00 , H04L2463/144
摘要: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.
-
公开(公告)号:US11582208B1
公开(公告)日:2023-02-14
申请号:US17498392
申请日:2021-10-11
摘要: According to an embodiment, a method receives one or more messages associated with connecting a client and a first host. At least one of the messages comprises an encrypted portion indicating the first host and at least one of the messages comprises a cleartext portion indicating a second host. The method determines first and second sets of links associated with the first and second host, respectively. The first set is determined based on monitoring a result of connecting the client and the first host. The second set is determined based on observing behavior associated with connecting to the second host. The method detects domain fronting in response to determining, based on comparing the first set of links and the second set of links, that the first host differs from the second host.
-
公开(公告)号:US11558424B2
公开(公告)日:2023-01-17
申请号:US17307677
申请日:2021-05-04
摘要: Techniques and mechanisms for using passively collected network data to automatically generate a fingerprint prevalence database without the need for endpoint ground truth. The process first clusters all observations with the same fingerprint string and similar source and destination context. The process then annotates each cluster with descriptive information and uses a rule-based system to derive an informative name from that descriptive information, e.g., “winnt amp client” or “cross-platform browser”. Optionally, the learned database may be augmented by a user to clarify custom process labels. Additionally, the generated database may be used to report the inferred processes in the same way as databases generated with endpoint ground truth.
-
公开(公告)号:US11451578B2
公开(公告)日:2022-09-20
申请号:US17029156
申请日:2020-09-23
发明人: Jan Kohout , Blake Harrell Anderson , Martin Grill , David McGrew , Martin Kopp , Tomas Pevny
IPC分类号: H04L9/40 , G06N20/00 , H04L41/0686 , H04L47/2441 , G06N20/20
摘要: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.
-
-
-
-
-
-
-
-
-
搜索结果
150 条记录 (耗时 0.032 秒)
