公开(公告)号：US20170295187A1

公开(公告)日：2017-10-12

申请号：US15091705

申请日：2016-04-06

Applicant: Cisco Technology, Inc.

Inventor： Jiri Havelka ,  Michal Sofka ,  Martin Rehák

IPC: H04L29/06

CPC classification number: H04L63/1408 ,  H04L63/1441 ,  H04L63/1483 ,  H04L2463/144 ,  H04L2463/146

Abstract: In one embodiment, a security device identifies, from monitored network traffic of one or more users, one or more suspicious domain names as candidate domains, the one or more suspicious domain names identified based on an occurrence of linguistic units used in discovered domain names within the monitored network traffic. The security device may then determine one or more features of the candidate domains, and confirms certain domains of the candidate domains as malicious domains using a parameterized classifier against the one or more features.

公开(公告)号：US20170063893A1

公开(公告)日：2017-03-02

申请号：US14960086

申请日：2015-12-04

Applicant: Cisco Technology, Inc.

Inventor： Vojtech Franc ,  Michal Sofka ,  Karel Bartos

IPC: H04L29/06 ,  G06F21/53

CPC classification number: H04L63/1425 ,  G06F21/53 ,  H04L63/0281

Abstract: Techniques are presented that identify malware network communications between a computing device and a server utilizing a detector process. Network traffic records are classified as either malware or legitimate network traffic records and divided into groups of classified network traffic records associated with network communications between the computing device and the server for a predetermined period of time. A group of classified network traffic records is labeled as malicious when at least one of the classified network traffic records in the group is malicious and as legitimate when none of the classified network traffic records in the group is malicious to obtain a labeled group of classified network traffic records. A detector process is trained on individual classified network traffic records in the labeled group of classified network traffic records and network communication between the computing device and the server is identified as malware network communication utilizing the detector process.

Abstract translation: 提出了使用检测器过程识别计算设备和服务器之间的恶意软件网络通信的技术。 网络流量记录被分类为恶意软件或合法网络流量记录，并且在预定时间段内被划分为与计算设备和服务器之间的网络通信相关联的分类网络流量记录的组。 当组中分类的网络流量记录中的至少一个是恶意的，并且当该组中的分类网络流量记录中的任何一个都不是恶意以获得分类网络的标记的组时，一组分类的网络流量记录被标记为恶意的 交通记录。 对分类网络业务记录的标记组中的各个分类网络业务记录进行检测处理，并且利用检测器处理将计算设备与服务器之间的网络通信识别为恶意软件网络通信。

公开(公告)号：US09462008B2

公开(公告)日：2016-10-04

申请号：US14519444

申请日：2014-10-21

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Michal Sofka

IPC: H04L29/06 ,  G06F21/55 ,  G06F17/30

CPC classification number: H04L63/1416 ,  G06F17/30861 ,  G06F21/552 ,  H04L63/1425 ,  H04L63/1433 ,  H04L2463/121 ,  H04L2463/142

Abstract: A system and a method are disclosed for identifying network threats based on hierarchical classification. The system receives packet flows from a data network and determines flow features for the received packet flows based on data from the packet flows. The system also classifies each packet flow into a flow class based on flow features of the packet flow. Based on a criterion, the system selects packet flows from the received packet flows and places the selected packet flows into an event set that represents an event on the network. The system determines event set features for the event set based on the flow features of the selected packet flows. The system then classifies the event set into a set class based on the determined event set features. Based on the set class, the computer system may report a threat incident on an internetworking device that originated the selected packet flows.

Abstract translation: 公开了一种基于层次分类来识别网络威胁的系统和方法。 该系统从数据网络接收分组流，并根据来自分组流的数据确定接收到的分组流的流特征。 该系统还基于分组流的流特征将每个分组流分类成流类。 基于标准，系统从接收的分组流中选择分组流，并将所选择的分组流放置在表示网络上的事件的事件集中。 该系统基于所选分组流的流特征来确定事件集的事件集特征。 然后，系统基于所确定的事件集特征将事件集合分类为集合类。 基于集合类，计算机系统可以报告发起所选分组流的互联网络设备上的威胁事件。

公开(公告)号：US09432393B2

公开(公告)日：2016-08-30

申请号：US14612623

申请日：2015-02-03

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Martin Rehak ,  Michal Sofka

IPC: G06F11/00 ,  H04L29/06 ,  G06F21/56

CPC classification number: H04L63/1416 ,  G06F17/30598 ,  G06F21/55 ,  G06F21/566 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1441

Abstract: In an embodiment, a method, performed by processors of a computing device for creating and storing clusters of incident data records based on behavioral characteristic values in the records and origin characteristic values in the records, the method comprising: receiving a plurality of input incident data records comprising sets of attribute values; identifying two or more first incident data records that have a particular behavioral characteristic value; using a malicious incident behavioral data table that maps sets of behavioral characteristic values to identifiers of malicious acts in the network, and a plurality of comparison operations using the malicious incident behavioral data table and the two or more first incident data records, determining whether any of the two or more first incident data records are malicious; and if so, creating a similarity behavioral cluster record that includes the two or more first incident data records.

Abstract translation: 在一个实施例中，一种由计算设备的处理器执行的方法，用于基于记录中的行为特征值和记录中的原始特征值来创建和存储事件数据记录簇，所述方法包括：接收多个输入事件数据 包括属性值集合的记录; 识别具有特定行为特征值的两个或更多个第一事件数据记录; 使用将行为特征值集合映射到网络中的恶意行为的标识符的恶意事件行为数据表，以及使用恶意事件行为数据表和两个或更多个第一事件数据记录的多个比较操作，确定是否存在 两个或多个第一事件数据记录是恶意的; 如果是，则创建包括两个或更多个第一事件数据记录的相似性行为集群记录。

公开(公告)号：US09985982B1

公开(公告)日：2018-05-29

申请号：US14977444

申请日：2015-12-21

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Karel Bartos ,  Michal Sofka ,  Vojtech Franc ,  Jiri Havelka

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06F21/566 ,  H04L63/20

Abstract: In one embodiment, a method includes receiving at a security analysis device a plurality of indicators of compromise (IOCs) associated with an entity, sorting at the security analysis device, the IOCs based on a time of occurrence of each of the IOCs, creating a representation of transitions between the IOCs at the security analysis device, and generating at the security analysis device, a feature vector based on the representation of transitions. The feature vector is configured for use by a classifier in identifying malicious entities. An apparatus and logic are also disclosed herein.

公开(公告)号：US20180034838A1

公开(公告)日：2018-02-01

申请号：US15221838

申请日：2016-07-28

Applicant: Cisco Technology, Inc.

Inventor： Jan Jusko ,  Michal Sofka

IPC: H04L29/06 ,  G06N7/00 ,  G06N99/00

CPC classification number: H04L63/1425 ,  G06N5/003 ,  G06N20/00 ,  G06N20/20 ,  H04L63/1416 ,  H04L63/1433 ,  H04L63/20

Abstract: In one embodiment, a method includes obtaining a set of samples, each of the set of samples including sample values for each of a plurality of variables in a variable space. The method includes receiving, for each of an initial subset of the set of samples, a label for the sample as being either malicious or legitimate. The method includes identifying one or more boundaries in the variable space based on the labels and sample values for each of the initial subset. The method includes selecting an incremental subset of the unlabeled samples of the set of samples, wherein the incremental subset includes at least one unlabeled sample including sample values further from any of the one or more boundaries than an unlabeled sample that is not included in the incremental subset. The method includes receiving, for each of the incremental subset, a label for the sample as being either malicious or legitimate.

公开(公告)号：US10412105B2

公开(公告)日：2019-09-10

申请号：US16161572

申请日：2018-10-16

Applicant: Cisco Technology, Inc.

Inventor： Michal Sofka

IPC: H04L29/06 ,  G06N3/04 ,  G06N3/08

Abstract: A computer-implemented data processing method comprises: executing a recurrent neural network (RNN) comprising nodes each implemented as a Long Short-Term Memory (LSTM) cell and comprising links between nodes that represent outputs of LSTM cells and inputs to LSTM cells, wherein each LSTM cell implements an input layer, hidden layer and output layer of the RNN; receiving network traffic data associated with networked computers; extracting feature data representing features of the network traffic data and providing the feature data to the RNN; classifying individual Uniform Resource Locators (URLs) as malicious or legitimate using LSTM cells of the input layer, wherein inputs to the LSTM cells are individual characters of the URLs, and wherein the LSTM cells generate feature representation; based on the feature representation, generating signals to a firewall device specifying either admitting or denying the URLs.

公开(公告)号：US10187412B2

公开(公告)日：2019-01-22

申请号：US14946156

申请日：2015-11-19

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Michal Sofka

IPC: H04L29/06

Abstract: Techniques are presented that identify malware network communications between a computing device and a server based on a cumulative feature vector generated from a group of network traffic records associated with communications between computing devices and servers. Feature vectors are generated, each vector including features extracted from the network traffic records in the group. A self-similarity matrix is computed for each feature which is a representation of the feature that is invariant to an increase or a decrease of feature values across all feature vectors in the group. Each self-similarity matrix is transformed into corresponding histograms to be invariant to a number of network traffic records in the group. The cumulative feature vector is a cumulative representation of the predefined set of features of all network traffic records included in the at least one group of network traffic records and is generated based on the corresponding histograms.

公开(公告)号：US10187401B2

公开(公告)日：2019-01-22

申请号：US14934492

申请日：2015-11-06

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Lukas Machlica ,  Michal Sofka

IPC: H04L29/00 ,  H04L29/06 ,  H04L29/08 ,  G06F21/00

Abstract: In one embodiment, a method includes receiving packet flow data at a feature extraction hierarchy comprising a plurality of levels, each of the levels comprising a set of feature extraction functions, computing a first set of feature vectors for the packet flow data at a first level of the feature extraction hierarchy, inputting the first set of feature vectors from the first level of the feature extraction hierarchy into a second level of the feature extraction hierarchy to compute a second set of feature vectors, and transmitting a final feature vector to a classifier to identify malicious traffic. An apparatus and logic are also disclosed herein.

公开(公告)号：US09800597B2

公开(公告)日：2017-10-24

申请号：US15284403

申请日：2016-10-03

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Michal Sofka

IPC: G06F21/00 ,  H04L29/06 ,  G06F21/55 ,  G06F17/30

CPC classification number: H04L63/1416 ,  G06F17/30861 ,  G06F21/552 ,  H04L63/1425 ,  H04L63/1433 ,  H04L2463/121 ,  H04L2463/142

Abstract: A system and a method are disclosed for identifying network threats based on hierarchical classification. The system receives packet flows from a data network and determines flow features for the received packet flows based on data from the packet flows. The system also classifies each packet flow into a flow class based on flow features of the packet flow. Based on a criterion, the system selects packet flows from the received packet flows and places the selected packet flows into an event set that represents an event on the network. The system determines event set features for the event set based on the flow features of the selected packet flows. The system then classifies the event set into a set class based on the determined event set features. Based on the set class, the computer system may report a threat incident on an internetworking device that originated the selected packet flows.