公开(公告)号：US20180167404A1

公开(公告)日：2018-06-14

申请号：US15372580

申请日：2016-12-08

Applicant: Cisco Technology, Inc.

Inventor： Lukas Machlica ,  Martin Vejman

IPC: H04L29/06 ,  H04L12/26 ,  G06N99/00

CPC classification number: H04L63/1425 ,  H04L43/08 ,  H04L43/16 ,  H04L63/0421 ,  H04L63/0478 ,  H04L63/1441 ,  H04L2463/144

Abstract: In one embodiment, a device in a network receives domain information from a plurality of traffic flows in the network. The device identifies a particular address from the plurality of traffic flows as part of an onion routing system based on the received domain information. The device distinguishes the particular address during analysis of the traffic flows by a traffic flow analyzer that includes a domain generation algorithm (DGA)-based traffic classifier. The device detects a malicious traffic flow from among the plurality of traffic flows using the traffic flow analyzer. The device causes performance of a mitigation action based on the detected malicious traffic flow.

公开(公告)号：US11625640B2

公开(公告)日：2023-04-11

申请号：US16152578

申请日：2018-10-05

Applicant: Cisco Technology, Inc.

Inventor： Radek Starosta ,  Jan Brabec ,  Lukas Machlica

IPC: G06N20/00 ,  G06N7/00 ,  G06N5/00

Abstract: In one embodiment, a device distributes sets of training records from a training dataset for a random forest-based classifier among a plurality of workers of a computing cluster. Each worker determines whether it can perform a node split operation locally on the random forest by comparing a number of training records at the worker to a predefined threshold. The device determines, for each of the split operations, a data size and entropy measure of the training records to be used for the split operation. The device applies a machine learning-based predictor to the determined data size and entropy measure of the training records to be used for the split operation, to predict its completion time. The device coordinates the workers of the computing cluster to perform the node split operations in parallel such that the node split operations in a given batch are grouped based on their predicted completion times.

公开(公告)号：US20200304462A1

公开(公告)日：2020-09-24

申请号：US16360494

申请日：2019-03-21

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Lukas Machlica

IPC: H04L29/06

Abstract: A method includes, at a server in a network, detecting for a user device network incidents relating to one or more security threats in the network using a plurality of threat detectors over a predetermined time period, each of the network incidents including one or more behavior indicators; assigning the network incidents into one or more groups, wherein each group corresponds to a type of security threat; generating a graph for a particular group of the user device, wherein the graph includes a plurality of nodes each representing a behavior indicator in the particular group, and wherein generating the graph includes assigning an edge to connect two nodes of the plurality of nodes if the two nodes correspond to behavior indicators that belong to a same network incident; and displaying the graph on a graphical user interface for a user.

公开(公告)号：US10601847B2

公开(公告)日：2020-03-24

申请号：US15629906

申请日：2017-06-22

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Lukas Machlica

IPC: H04L29/06 ,  G06F21/55

Abstract: A user behavior activity detection method is provided in which network traffic relating to user behavior activities in a network is monitored. Data is stored representing network traffic within a plurality of time periods, each of the time periods serving as a transaction. Subsets of the network traffic in the transactions are identified as traffic suspected of relating to certain user behavior activities. The subsets of the network traffic in the transactions are assigned into one or more groups. A determination is made of one or more detection rules for each of the one or more groups based on identifying, for each of the groups, a number of user behavior activities common to each of the subsets of the network traffic. The one or more detection rules are used to monitor future network traffic in the network to detect occurrence of the certain user behavior activities.

公开(公告)号：US10523691B2

公开(公告)日：2019-12-31

申请号：US15400389

申请日：2017-01-06

Applicant: Cisco Technology, Inc.

Inventor： Martin Vejman ,  Lukas Machlica

IPC: G06N20/00 ,  H04L29/06 ,  G06N7/00 ,  G06N5/02 ,  H04L29/12

Abstract: Systems described herein preemptively detect newly registered network domains that are likely to be malicious before network behavior of the domains is actually observed. A network security device (e.g., a router) receives domain registration data that associates network domains with keys and generating a graph representing the domain registration data. Each edge of the graph connects a vertex representing a domain and a vertex representing a registration attribute (e.g., a registrant email address). The network security device identifies a connected component of the graph that meets a graph robustness threshold. The network security device determines whether a domain of the connected component whose behavior has not yet been observed is malicious using a predictive model based on existing maliciousness labels for other domains of the connected component.

公开(公告)号：US10375096B2

公开(公告)日：2019-08-06

申请号：US15372580

申请日：2016-12-08

Applicant: Cisco Technology, Inc.

Inventor： Lukas Machlica ,  Martin Vejman

IPC: H04L29/06 ,  H04L12/26

Abstract: In one embodiment, a device in a network receives domain information from a plurality of traffic flows in the network. The device identifies a particular address from the plurality of traffic flows as part of an onion routing system based on the received domain information. The device distinguishes the particular address during analysis of the traffic flows by a traffic flow analyzer that includes a domain generation algorithm (DGA)-based traffic classifier. The device detects a malicious traffic flow from among the plurality of traffic flows using the traffic flow analyzer. The device causes performance of a mitigation action based on the detected malicious traffic flow.

公开(公告)号：US09781139B2

公开(公告)日：2017-10-03

申请号：US14806236

申请日：2015-07-22

Applicant: Cisco Technology, Inc.

Inventor： Michal Sofka ,  Lukas Machlica ,  Karel Bartos ,  David McGrew

IPC: G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  H04L29/06 ,  G06N99/00 ,  H04L29/12

CPC classification number: H04L63/1416 ,  G06F21/566 ,  G06N99/005 ,  H04L61/1511 ,  H04L61/303 ,  H04L63/0281 ,  H04L63/1425 ,  H04L2463/144

Abstract: Techniques are presented to identify malware communication with domain generation algorithm (DGA) generated domains. Sample domain names are obtained and labeled as DGA domains, non-DGA domains or suspicious domains. A classifier is trained in a first stage based on the sample domain names. Sample proxy logs including proxy logs of DGA domains and proxy logs of non-DGA domains are obtained to train the classifier in a second stage based on the plurality of sample domain names and the plurality of sample proxy logs. Live traffic proxy logs are obtained and the classifier is tested by classifying the live traffic proxy logs as DGA proxy logs, and the classifier is forwarded to a second computing device to identify network communication of a third computing device as malware network communication with DGA domains via a network interface unit of the third computing device based on the trained and tested classifier.

公开(公告)号：US20170134404A1

公开(公告)日：2017-05-11

申请号：US14934492

申请日：2015-11-06

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Lukas Machlica ,  Michal Sofka

IPC: H04L29/06 ,  G06F17/30 ,  H04L29/08

CPC classification number: H04L63/1416 ,  G06F21/564 ,  H04L63/145 ,  H04L67/02 ,  H04L67/22

Abstract: In one embodiment, a method includes receiving packet flow data at a feature extraction hierarchy comprising a plurality of levels, each of the levels comprising a set of feature extraction functions, computing a first set of feature vectors for the packet flow data at a first level of the feature extraction hierarchy, inputting the first set of feature vectors from the first level of the feature extraction hierarchy into a second level of the feature extraction hierarchy to compute a second set of feature vectors, and transmitting a final feature vector to a classifier to identify malicious traffic. An apparatus and logic are also disclosed herein.

公开(公告)号：US11336617B2

公开(公告)日：2022-05-17

申请号：US16360494

申请日：2019-03-21

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Lukas Machlica

IPC: G06T11/20 ,  H04L29/06

Abstract: A method includes, at a server in a network, detecting for a user device network incidents relating to one or more security threats in the network using a plurality of threat detectors over a predetermined time period, each of the network incidents including one or more behavior indicators; assigning the network incidents into one or more groups, wherein each group corresponds to a type of security threat; generating a graph for a particular group of the user device, wherein the graph includes a plurality of nodes each representing a behavior indicator in the particular group, and wherein generating the graph includes assigning an edge to connect two nodes of the plurality of nodes if the two nodes correspond to behavior indicators that belong to a same network incident; and displaying the graph on a graphical user interface for a user.

公开(公告)号：US11233703B2

公开(公告)日：2022-01-25

申请号：US16196543

申请日：2018-11-20

Applicant: Cisco Technology, Inc.

Inventor： Martin Vejman ,  Lukas Machlica

IPC: H04L12/24 ,  H04L12/26 ,  H04L29/06

Abstract: Techniques for enriching encrypted traffic analytics are presented. In one embodiment, a method includes obtaining telemetry data for one or more domains within a network. The telemetry data includes both encrypted traffic analytics information and traffic flow information associated with the network traffic. For each domain of the one or more domains, the method also includes generating a model comprising a mapping from a plurality of traffic flow information features to at least one encrypted traffic analytics feature. The method includes generating a database comprising generated models for each of the domains and obtaining telemetry data for a target domain that includes traffic flow information, but does not include encrypted traffic analytics information. At least one encrypted traffic analytics feature of the target domain is determined based on a plurality of traffic flow information features of the target domain using the database.