公开(公告)号：US20240356962A1

公开(公告)日：2024-10-24

申请号：US18368392

申请日：2023-09-14

Applicant: Cisco Technology, Inc.

Inventor： Jaroslav Hlavac ,  Martin Kopp ,  Michael Adam Polak

IPC: H04L9/40

CPC classification number: H04L63/1441 ,  H04L63/1416

Abstract: Techniques and architecture are described for automated threat response and remediation of incidents generated by single or multiple security products. The techniques and architecture provide a framework for automated threat response and remediation of incidents generated by single or multiple security products, especially for extended detection and response (XDR) systems. In particular, the techniques and architecture provide for an automated threat response that is handled by an auto-analyst engine emulating security analysts' steps during incident response and remediation. The automated threat response automatically confirms or disapproves of detection verdicts thereby reducing false positives that analysts usually have to deal with. If any actions are needed from a security analyst, a concise report of actions taken, gathered information and recommended next steps are provided by the automated threat response, significantly reducing the time and resources needed to resolve an incident.

公开(公告)号：US11956208B2

公开(公告)日：2024-04-09

申请号：US17722915

申请日：2022-04-18

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Lukas Machlica

IPC: H04L9/40 ,  G06T11/20

CPC classification number: H04L63/02 ,  H04L63/1425 ,  H04L63/145 ,  G06T11/206 ,  G06T2200/24

Abstract: A method includes, at a server in a network, detecting for a user device network incidents relating to one or more security threats in the network using a plurality of threat detectors over a predetermined time period, each of the network incidents including one or more behavior indicators; assigning the network incidents into one or more groups, wherein each group corresponds to a type of security threat; generating a graph for a particular group of the user device, wherein the graph includes a plurality of nodes each representing a behavior indicator in the particular group, and wherein generating the graph includes assigning an edge to connect two nodes of the plurality of nodes if the two nodes correspond to behavior indicators that belong to a same network incident; and displaying the graph on a graphical user interface for a user.

公开(公告)号：US20240106836A1

公开(公告)日：2024-03-28

申请号：US18225517

申请日：2023-07-24

Applicant: Cisco Technology, Inc.

Inventor： Petr Somol ,  Martin Kopp ,  Jan Kohout ,  Jan Brabec ,  Marc René Jacques Marie Dupont ,  Cenek Skarda ,  Lukas Bajer ,  Danila Khikhlukha

IPC: H04L9/40 ,  G06N3/045 ,  G06N3/08

CPC classification number: H04L63/14 ,  G06N3/045 ,  G06N3/08

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

公开(公告)号：US11750621B2

公开(公告)日：2023-09-05

申请号：US16831197

申请日：2020-03-26

Applicant: Cisco Technology, Inc.

Inventor： Petr Somol ,  Martin Kopp ,  Jan Kohout ,  Jan Brabec ,  Marc René Jacques Marie Dupont ,  Cenek Skarda ,  Lukas Bajer ,  Danila Khikhlukha

IPC: H04L9/40 ,  G06N3/08 ,  G06N3/045

CPC classification number: H04L63/14 ,  G06N3/045 ,  G06N3/08

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

公开(公告)号：US11451578B2

公开(公告)日：2022-09-20

申请号：US17029156

申请日：2020-09-23

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L9/40 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441 ,  G06N20/20

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

公开(公告)号：US20210306350A1

公开(公告)日：2021-09-30

申请号：US16831197

申请日：2020-03-26

Applicant: Cisco Technology, Inc.

Inventor： Petr Somol ,  Martin Kopp ,  Jan Kohout ,  Jan Brabec ,  Marc René Jacques Marie Dupont ,  Cenek Skarda ,  Lukas Bajer ,  Danila Khikhlukha

IPC: H04L29/06 ,  G06N3/08 ,  G06N3/04

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

公开(公告)号：US10708284B2

公开(公告)日：2020-07-07

申请号：US15643573

申请日：2017-07-07

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Petr Somol ,  Tomas Pevny ,  David McGrew

IPC: H04L29/06 ,  G06N99/00 ,  G06F3/01 ,  G06N20/00 ,  G06N20/20 ,  G06N5/04

Abstract: In one embodiment, a device in a network maintains a plurality of machine learning-based detectors for an intrusion detection system. Each detector is associated with a different portion of a feature space of traffic characteristics assessed by the intrusion detection system. The device provides data regarding the plurality of detectors to a user interface. The device receives an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors. The device adjusts the portions of the feature space associated with the plurality of detectors based on the adjustment instruction received from the user interface.

公开(公告)号：US20180176240A1

公开(公告)日：2018-06-21

申请号：US15386006

申请日：2016-12-21

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L9/3263 ,  H04L63/0428 ,  H04L63/0823 ,  H04L63/1416 ,  H04L63/145 ,  H04L63/166

Abstract: In one embodiment, a device in a network receives traffic information regarding one or more secure sessions in the network. The device associates the one or more secure sessions with corresponding certificate validation check traffic indicated by the received traffic information. The device makes a self-signed certificate determination for an endpoint domain of a particular secure session based on whether the particular secure session is associated with certificate validation check traffic. The device causes the self-signed certificate determination for the endpoint domain to be used as input to a malware detector.

公开(公告)号：US20180063161A1

公开(公告)日：2018-03-01

申请号：US15244486

申请日：2016-08-23

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Tomas Pevny

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  G06F21/55 ,  H04L63/1441

Abstract: Rapidly detecting network threats with targeted detectors includes, at a computing device having connectivity to a network, determining features of background network traffic. Features are also extracted from a particular type of network threat. A characteristic of the particular type of network threat that best differentiates the features of the particular type of network threat from the features of the background network traffic is determined. A targeted detector for the particular type of network threat is created based on the characteristic and an action is applied to particular incoming network traffic identified by the targeted detector as being associated with the particular type of network threat.

公开(公告)号：US20250141893A1

公开(公告)日：2025-05-01

申请号：US18385591

申请日：2023-10-31

Applicant: Cisco Technology, Inc.

Inventor： Michael Adam Polak ,  Martin Kopp ,  Vojtech Outrata

IPC: H04L9/40 ,  G06N20/00

Abstract: Techniques described herein can perform obfuscation detection on command lines used at computing devices in a network. In response to detecting obfuscation in a command line, the disclosed techniques can output a notification for use in connection with network security analysis. The command line obfuscation detection techniques include pre-processing command line input data and converting command lines into token groups. The token groups are then provided as an input to a natural language processor or other machine learned model, which is trained to identify obfuscation probabilities associated with token groups can corresponding command lines. A notification is generated to trigger further analysis in response to an obfuscation probability exceeding a threshold obfuscation probability.