公开(公告)号：US20180198811A1

公开(公告)日：2018-07-12

申请号：US15403365

申请日：2017-01-11

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Martin Rehak

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06F21/00 ,  H04L63/302 ,  H04L2463/121 ,  H04L2463/144

Abstract: Identifying malicious network traffic based on distributed, collaborative sampling includes, at a computing device having connectivity to a network, obtaining a first set of data flows, based on sampling criteria, that represents network traffic between one or more nodes in the network and one or more domains outside of the network, each data flow in the first set of data flows including a plurality of data packets. The first set of data flows is forwarded for correlation with a plurality of other sets of data flows from other networks to generate global intelligence data. Adjusted sampling criteria is generated based on the global intelligence data and a second set of data flows is obtained based on the adjusted sampling criteria.

公开(公告)号：US09781139B2

公开(公告)日：2017-10-03

申请号：US14806236

申请日：2015-07-22

Applicant: Cisco Technology, Inc.

Inventor： Michal Sofka ,  Lukas Machlica ,  Karel Bartos ,  David McGrew

IPC: G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  H04L29/06 ,  G06N99/00 ,  H04L29/12

CPC classification number: H04L63/1416 ,  G06F21/566 ,  G06N99/005 ,  H04L61/1511 ,  H04L61/303 ,  H04L63/0281 ,  H04L63/1425 ,  H04L2463/144

Abstract: Techniques are presented to identify malware communication with domain generation algorithm (DGA) generated domains. Sample domain names are obtained and labeled as DGA domains, non-DGA domains or suspicious domains. A classifier is trained in a first stage based on the sample domain names. Sample proxy logs including proxy logs of DGA domains and proxy logs of non-DGA domains are obtained to train the classifier in a second stage based on the plurality of sample domain names and the plurality of sample proxy logs. Live traffic proxy logs are obtained and the classifier is tested by classifying the live traffic proxy logs as DGA proxy logs, and the classifier is forwarded to a second computing device to identify network communication of a third computing device as malware network communication with DGA domains via a network interface unit of the third computing device based on the trained and tested classifier.

公开(公告)号：US10979451B2

公开(公告)日：2021-04-13

申请号：US15896421

申请日：2018-02-14

Applicant: Cisco Technology, Inc.

Inventor： Lukas Machlica ,  Ivan Nikolaev ,  Karel Bartos ,  Martin Grill

IPC: G06F21/55 ,  G06F21/56 ,  H04L29/06 ,  H04L29/12

Abstract: In one embodiment, a security device in a computer network detects potential domain generation algorithm (DGA) searching activity using a domain name service (DNS) model to detect abnormally high DNS requests made by a host attempting to locate a command and control (C&C) server in the computer network. The server device also detects potential DGA communications activity based on applying a hostname-based classifier for DGA domains associated with any server internet protocol (IP) address in a data stream from the host. The security device may then correlate the potential DGA searching activity with the potential DGA communications activity, and identifies DGA performing malware based on the correlating, accordingly.

公开(公告)号：US10187412B2

公开(公告)日：2019-01-22

申请号：US14946156

申请日：2015-11-19

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Michal Sofka

IPC: H04L29/06

Abstract: Techniques are presented that identify malware network communications between a computing device and a server based on a cumulative feature vector generated from a group of network traffic records associated with communications between computing devices and servers. Feature vectors are generated, each vector including features extracted from the network traffic records in the group. A self-similarity matrix is computed for each feature which is a representation of the feature that is invariant to an increase or a decrease of feature values across all feature vectors in the group. Each self-similarity matrix is transformed into corresponding histograms to be invariant to a number of network traffic records in the group. The cumulative feature vector is a cumulative representation of the predefined set of features of all network traffic records included in the at least one group of network traffic records and is generated based on the corresponding histograms.

公开(公告)号：US20190020663A1

公开(公告)日：2019-01-17

申请号：US15648850

申请日：2017-07-13

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Jirí Havelka ,  Martin Neznal

IPC: H04L29/06 ,  G06N99/00 ,  H04L12/26

Abstract: In one embodiment, a device generates one or more time series of characteristics of client-server communications observed in a network for a particular client in the network. The device partitions the one or more time series into sets of time windows based on patterns present in the characteristics of the client-server communications. The device compares the characteristics of the client-server communications from the partitioned time windows to determine measures of behavioral similarity between the compared time windows. The device provides the measures of behavioral similarity between the compared time windows as input to a machine learning-based malware detector. The device causes performance of a mitigation action in the network when the machine learning-based malware detector determines that the particular client in the network is infected with malware.

公开(公告)号：US09800597B2

公开(公告)日：2017-10-24

申请号：US15284403

申请日：2016-10-03

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Michal Sofka

IPC: G06F21/00 ,  H04L29/06 ,  G06F21/55 ,  G06F17/30

CPC classification number: H04L63/1416 ,  G06F17/30861 ,  G06F21/552 ,  H04L63/1425 ,  H04L63/1433 ,  H04L2463/121 ,  H04L2463/142

Abstract: A system and a method are disclosed for identifying network threats based on hierarchical classification. The system receives packet flows from a data network and determines flow features for the received packet flows based on data from the packet flows. The system also classifies each packet flow into a flow class based on flow features of the packet flow. Based on a criterion, the system selects packet flows from the received packet flows and places the selected packet flows into an event set that represents an event on the network. The system determines event set features for the event set based on the flow features of the selected packet flows. The system then classifies the event set into a set class based on the determined event set features. Based on the set class, the computer system may report a threat incident on an internetworking device that originated the selected packet flows.

公开(公告)号：US20170155668A1

公开(公告)日：2017-06-01

申请号：US14955480

申请日：2015-12-01

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Martin Rehak

IPC: H04L29/06 ,  H04L12/26

CPC classification number: H04L63/1416 ,  H04L43/024 ,  H04L63/0236 ,  H04L2463/144

Abstract: Identifying malicious communications by generating data representative of network traffic based on adaptive sampling includes, at a computing device having connectivity to a network, obtaining a set of data flows representing network traffic between one or more nodes in the network and one or more domains outside of the network, wherein each data flow in the set of data flows includes a plurality of data packets. One or more features are extracted from the set of data flows based on statistical measurements of the set of data flows. The set of data flows are adaptively sampled based on at least the one or more features. Then, data representative of the network traffic is generated based on the adaptively sampling to identify malicious communication channels in the network traffic.

公开(公告)号：US20170063892A1

公开(公告)日：2017-03-02

申请号：US14946156

申请日：2015-11-19

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Michal Sofka

IPC: H04L29/06

CPC classification number: H04L63/1425

Abstract: Techniques are presented that identify malware network communications between a computing device and a server based on a cumulative feature vector generated from a group of network traffic records associated with communications between computing devices and servers. Feature vectors are generated, each vector including features extracted from the network traffic records in the group. A self-similarity matrix is computed for each feature which is a representation of the feature that is invariant to an increase or a decrease of feature values across all feature vectors in the group. Each self-similarity matrix is transformed into corresponding histograms to be invariant to a number of network traffic records in the group. The cumulative feature vector is a cumulative representation of the predefined set of features of all network traffic records included in the at least one group of network traffic records and is generated based on the corresponding histograms.

Abstract translation: 提供了基于从与计算设备和服务器之间的通信相关联的一组网络业务记录生成的累积特征向量来识别计算设备和服务器之间的恶意软件网络通信的技术。 生成特征向量，每个矢量包括从组中的网络流量记录中提取的特征。 对于每个特征计算自相似矩阵，该特征是对于组中的所有特征向量的特征值的增加或减小而不变的特征的表示。 每个自相似矩阵被转换成相应的直方图，以便对组中的多个网络流量记录是不变的。 累积特征向量是包括在至少一组网络业务记录中的所有网络流量记录的预定义特征集合的累积表示，并且基于相应的直方图生成。

公开(公告)号：US20160112442A1

公开(公告)日：2016-04-21

申请号：US14519160

申请日：2014-10-21

Applicant: Cisco Technology, Inc. ,  Czech Technical University

Inventor： Gustav SOUREK ,  Karel Bartos ,  Filip Zelezny ,  Tomas Pevny ,  Petr Somol

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/1416 ,  H04L67/10

Abstract: In one embodiment, a system includes a processor to receive network flows, for each of one of a plurality of event-types, compare each one of the network flows to a flow-specific criteria of the one event-type to determine if the one network flow satisfies the flow-specific criteria, for each one of the event-types, for each one of the network flows satisfying the flow-specific criteria of the one event-type, assign the one network flow to a proto-event of the one-event type, test different combinations of the network flows assigned to the proto-event of the one event-type against aggregation criteria of the one event-type to determine if one combination of the network flows assigned to the proto-event of the one event-type satisfies the aggregation criteria for the one event-type and identifies an event of the one event-type from among the network flows of the proto-event. Related apparatus and methods are also described.

Abstract translation: 在一个实施例中，系统包括处理器，用于为多个事件类型中的一个事件类型中的每一个接收网络流，将每个网络流中的每一个与一个事件类型的流特定标准进行比较，以确定一个 网络流满足针对每个事件类型的流特定标准，对于满足一个事件类型的流特定标准的每个网络流，将一个网络流分配给一个事件类型的原始事件 一事件类型，测试分配给一个事件类型的原始事件的网络流的不同组合，以反映一种事件类型的聚合标准，以确定分配给原始事件的网络流的一个组合是否为 一个事件类型满足一个事件类型的聚合标准，并从原始事件的网络流中识别一个事件类型的事件。 还描述了相关装置和方法。

公开(公告)号：US10917421B2

公开(公告)日：2021-02-09

申请号：US15898789

申请日：2018-02-19

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Vojtech Franc ,  Vit Zlamal

IPC: G06F21/56 ,  G06F21/55 ,  H04L29/06

Abstract: In one embodiment, a security device in a computer network determines a plurality of values for a plurality of features from samples of known malware, and computes one or more significant values out of the plurality of values, where each of the one or more significant values occurs across greater than a significance threshold of the samples. The security device may then determine feature values for samples of unlabeled traffic, and declares one or more particular samples of unlabeled traffic as synthetic malicious flow samples in response to all feature values for each synthetic malicious flow sample matching a respective one of the significant values for each corresponding respective feature. The security device may then use the samples of known malware and the synthetic malicious flow samples for model-based malware detection.