公开(公告)号：US20190312893A1

公开(公告)日：2019-10-10

申请号：US16432400

申请日：2019-06-05

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Ivan Nikolaev

IPC: H04L29/06 ,  H04L29/08

Abstract: In one embodiment, a device in a network receives a set of known user identifiers used in the network. The device receives web traffic log data regarding web traffic in the network. The web traffic log data includes header information captured from the web traffic and a plurality of client addresses associated with the web traffic. The device detects a particular one of the set of known user identifiers in the header information captured from the web traffic associated with a particular one of the plurality of client addresses. The device makes an association between the particular detected user identifier and the particular client address.

公开(公告)号：US20190251479A1

公开(公告)日：2019-08-15

申请号：US15892475

申请日：2018-02-09

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul

IPC: G06N99/00 ,  H04L29/06

CPC classification number: G06N20/00 ,  H04L63/1425 ,  H04L63/1441

Abstract: Methods an systems to classify a training dataset of network data as a poisoned training dataset based on a first dataset-level classifier, identify and remove poison samples of the poisoned training dataset based on a sample-level classifier to produce a non-poisoned dataset, training a machine-based model to analyze network traffic based on the modified non-poisoned dataset, and analyze network traffic with the machine-based model.

公开(公告)号：US20190245868A1

公开(公告)日：2019-08-08

申请号：US15891708

申请日：2018-02-08

Applicant: Cisco Technology, Inc.

Inventor： Santosh Ramrao Patil ,  Gangadharan Byju Pularikkal ,  David McGrew ,  Blake Harrell Anderson ,  Madhusudan Nanjanagud

IPC: H04L29/06

CPC classification number: H04L63/1408 ,  H04L43/04 ,  H04L69/16

Abstract: Methods and systems to estimate encrypted multi-path TCP (MPTCP) network traffic include restricting traffic in a first direction (e.g., uplink) to a single path, and estimating traffic of multiple subflows of a second direction (e.g., downlink) based on traffic over the single path of the first direction. The estimating may be based on, without limitation, acknowledgment information of the single path, a sequence of acknowledgment numbers of the single path, an unencrypted initial packet sent over the single path as part of a secure tunnel setup procedure, TCP header information of the unencrypted initial packet (e.g., sequence number, acknowledgment packet, and/or acknowledgment packet length), and/or metadata of packets of the single path (e.g., regarding cryptographic algorithms, Diffie-Helman groups, and/or certificate related data).

公开(公告)号：US20190190961A1

公开(公告)日：2019-06-20

申请号：US15848645

申请日：2017-12-20

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Subharthi Paul ,  William Michael Hudson, JR. ,  Philip Ryan Perricone

IPC: H04L29/06

Abstract: In one embodiment, a device in a network observes traffic between a client and a server for an encrypted session. The device makes a determination that a server certificate should be obtained from the server. The device, based on the determination, sends a handshake probe to the server. The device extracts server certificate information from a handshake response from the server that the server sent in response to the handshake probe. The device uses the extracted server certificate information to analyze the traffic between the client and the server.

公开(公告)号：US20190190928A1

公开(公告)日：2019-06-20

申请号：US15848150

申请日：2017-12-20

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Vincent E. Parla ,  Jan Jusko ,  Martin Grill ,  Martin Vejman

IPC: H04L29/06 ,  G06F21/44 ,  H04L9/32

CPC classification number: H04L63/1416 ,  G06F21/44 ,  G06F21/52 ,  G06F21/55 ,  G06F21/554 ,  H04L9/3242 ,  H04L63/0428 ,  H04L63/0876 ,  H04L63/1425 ,  H04L63/1466

Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.

公开(公告)号：US10257214B2

公开(公告)日：2019-04-09

申请号：US15191152

申请日：2016-06-23

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  K. Tirumaleswar Reddy ,  Prashanth Patil ,  Daniel G. Wing

IPC: G06F17/00 ,  G06F12/14 ,  H04L9/32 ,  G06F11/30 ,  G06F7/00 ,  G06F15/18 ,  H04L29/06 ,  H04L12/833 ,  H04L12/851 ,  H04L12/46 ,  G06N99/00 ,  H04L12/24 ,  H04L12/26

Abstract: In one embodiment, a device in a network receives traffic data regarding one or more traffic flows in the network. The device applies a machine learning classifier to the traffic data. The device determines a priority for the traffic data based in part on an output of the machine learning classifier. The output of the machine learning classifier comprises a probability of the traffic data belonging to a particular class. The device stores the traffic data for a period of time that is a function of the determined priority for the traffic data.

公开(公告)号：US20190014134A1

公开(公告)日：2019-01-10

申请号：US15643573

申请日：2017-07-07

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Petr Somol ,  Tomas Pevny ,  David McGrew

IPC: H04L29/06 ,  G06N99/00 ,  G06F3/01

Abstract: In one embodiment, a device in a network maintains a plurality of machine learning-based detectors for an intrusion detection system. Each detector is associated with a different portion of a feature space of traffic characteristics assessed by the intrusion detection system. The device provides data regarding the plurality of detectors to a user interface. The device receives an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors. The device adjusts the portions of the feature space associated with the plurality of detectors based on the adjustment instruction received from the user interface.

公开(公告)号：US20180152467A1

公开(公告)日：2018-05-31

申请号：US15364933

申请日：2016-11-30

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: H04L29/06 ,  H04L12/24 ,  H04L12/851 ,  G06N99/00

CPC classification number: H04L63/1425 ,  G06N20/00 ,  H04L41/16 ,  H04L47/2441 ,  H04L63/1458 ,  H04L63/306 ,  H04L2463/141 ,  H04L2463/144

Abstract: In one embodiment, a device in a network receives traffic data regarding a plurality of observed traffic flows. The device maps one or more characteristics of the observed traffic flows from the traffic data to traffic characteristics associated with a targeted deployment environment. The device generates synthetic traffic data based on the mapped traffic characteristics associated with the targeted deployment environment. The device trains a machine learning-based traffic classifier using the synthetic traffic data.

公开(公告)号：US09781139B2

公开(公告)日：2017-10-03

申请号：US14806236

申请日：2015-07-22

Applicant: Cisco Technology, Inc.

Inventor： Michal Sofka ,  Lukas Machlica ,  Karel Bartos ,  David McGrew

IPC: G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  H04L29/06 ,  G06N99/00 ,  H04L29/12

CPC classification number: H04L63/1416 ,  G06F21/566 ,  G06N99/005 ,  H04L61/1511 ,  H04L61/303 ,  H04L63/0281 ,  H04L63/1425 ,  H04L2463/144

Abstract: Techniques are presented to identify malware communication with domain generation algorithm (DGA) generated domains. Sample domain names are obtained and labeled as DGA domains, non-DGA domains or suspicious domains. A classifier is trained in a first stage based on the sample domain names. Sample proxy logs including proxy logs of DGA domains and proxy logs of non-DGA domains are obtained to train the classifier in a second stage based on the plurality of sample domain names and the plurality of sample proxy logs. Live traffic proxy logs are obtained and the classifier is tested by classifying the live traffic proxy logs as DGA proxy logs, and the classifier is forwarded to a second computing device to identify network communication of a third computing device as malware network communication with DGA domains via a network interface unit of the third computing device based on the trained and tested classifier.

公开(公告)号：US20170019417A1

公开(公告)日：2017-01-19

申请号：US14802033

申请日：2015-07-17

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Kenneth S. Beck

IPC: H04L29/06 ,  H04L12/26

CPC classification number: H04L43/026 ,  H04L43/062 ,  H04L43/12 ,  H04L63/14

Abstract: A method and related apparatus for performing inspection of flows within a software defined network includes identifying a security appliance within a software defined network, identifying candidate traffic flows flowing in the software defined network to be inspected, selecting one of the candidate traffic flows for security inspection, and communicating with a software defined network controller to cause the one of the candidate traffic flows to be redirected towards the security appliance for inspection or to cause the one of the candidate traffic flows to be copied and a resulting copy thereof forwarded to the security appliance for inspection.

Abstract translation: 一种在软件定义的网络内执行流程检查的方法和相关装置包括识别软件定义的网络内的安全设备，识别在待检查的软件定义的网络中流动的候选业务流，选择候选业务流中的一个进行安全检查 并且与软件定义的网络控制器进行通信，以将所述候选业务流中的一个重定向到所述安全设备进行检查，或使所述候选业务流中的一个被复制，并将其所得到的副本转发到所述安全设备 供检查。