公开(公告)号：US20210306350A1

公开(公告)日：2021-09-30

申请号：US16831197

申请日：2020-03-26

Applicant: Cisco Technology, Inc.

Inventor： Petr Somol ,  Martin Kopp ,  Jan Kohout ,  Jan Brabec ,  Marc René Jacques Marie Dupont ,  Cenek Skarda ,  Lukas Bajer ,  Danila Khikhlukha

IPC: H04L29/06 ,  G06N3/08 ,  G06N3/04

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

公开(公告)号：US10708284B2

公开(公告)日：2020-07-07

申请号：US15643573

申请日：2017-07-07

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Petr Somol ,  Tomas Pevny ,  David McGrew

IPC: H04L29/06 ,  G06N99/00 ,  G06F3/01 ,  G06N20/00 ,  G06N20/20 ,  G06N5/04

Abstract: In one embodiment, a device in a network maintains a plurality of machine learning-based detectors for an intrusion detection system. Each detector is associated with a different portion of a feature space of traffic characteristics assessed by the intrusion detection system. The device provides data regarding the plurality of detectors to a user interface. The device receives an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors. The device adjusts the portions of the feature space associated with the plurality of detectors based on the adjustment instruction received from the user interface.

公开(公告)号：US10320823B2

公开(公告)日：2019-06-11

申请号：US14844379

申请日：2015-09-03

Applicant: Cisco Technology, Inc.

Inventor： Vojt{hacek over (e)}ch Létal ,  Tomá{hacek over (s)} Pevný ,  Petr Somol

IPC: H04L29/06 ,  G06Q50/00

Abstract: Data is collected from a database arrangement about behavior of observed entities, wherein the collected data includes one or more features associated with the observed entities. A probabilistic model is determined that correlates the one or more features with malicious and/or benign behavior of the observed entities. Data is collected from the database arrangement for unobserved entities that have at least one common feature with at least one of the observed entities. One of the unobserved entities is determined to be a malicious entity based on the at least one common feature and the probabilistic model. Network policies are applied to packets sent from the malicious entity.

公开(公告)号：US12160429B2

公开(公告)日：2024-12-03

申请号：US18225517

申请日：2023-07-24

Applicant: Cisco Technology, Inc.

Inventor： Petr Somol ,  Martin Kopp ,  Jan Kohout ,  Jan Brabec ,  Marc René Jacques Marie Dupont ,  Cenek Skarda ,  Lukas Bajer ,  Danila Khikhlukha

IPC: H04L9/40 ,  G06N3/045 ,  G06N3/08

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

公开(公告)号：US11271833B2

公开(公告)日：2022-03-08

申请号：US15790402

申请日：2017-10-23

Applicant: Cisco Technology, Inc.

Inventor： Tomas Komarek ,  Martin Vejman ,  Petr Somol

IPC: H04L12/26 ,  H04L43/062 ,  H04L29/06 ,  G06N20/00 ,  H04L41/16 ,  H04L43/026

Abstract: In one embodiment, a device groups feature vectors representing network traffic flows into bags. The device forms a bag representation of a particular one of the bags by aggregating the feature vectors in the particular bag. The device extends one or more feature vectors in the particular bag with the bag representation. The extended one or more feature vectors are positive examples of a classification label for the network traffic. The device trains a network traffic classifier using training data that comprises the one or more feature vectors extended with the bag representation.

公开(公告)号：US11113397B2

公开(公告)日：2021-09-07

申请号：US16413880

申请日：2019-05-16

Applicant: Cisco Technology, Inc.

Inventor： Tomas Pevny ,  Jan Franco̊ ,  Petr Somol

IPC: G06F21/00 ,  G06F21/56 ,  G06N3/08

Abstract: In one embodiment, a device disassembles an executable file into assembly instructions. The device maps each of the assembly instructions to a fixed length instruction vector using one-hot encoding and an instruction vocabulary and forms vector representations of blocks of a control flow graph for corresponding functions of the executable file by embedding and aggregating bags of the instruction vectors. The device generates, based on the vector representations of the blocks of the control flow graph, a call graph model of the functions in the executable file. The device forms a vector representation of the executable file based in part on the call graph model. The device determines, based on the vector representation of the executable file, whether the executable file is malware.

公开(公告)号：US09992216B2

公开(公告)日：2018-06-05

申请号：US15040285

申请日：2016-02-10

Applicant: Cisco Technology, Inc.

Inventor： Tomas Pevny ,  Petr Somol

IPC: H04L29/06 ,  G06F21/53 ,  G06F21/55

CPC classification number: H04L63/1425 ,  G06F21/53 ,  G06F21/552 ,  H04L63/0281 ,  H04L63/1416 ,  H04L63/1433

Abstract: Identifying malicious executables by analyzing proxy logs includes, at a server having connectivity to the Internet, retrieving sets of proxy logs from a plurality of proxy servers. Each proxy server of the plurality of proxy servers is associated with a network and generates network traffic logs for one or more nodes included in the network. Then, a set of executables hosted by each of the one or more nodes associated with each of the plurality of proxy servers is determined. Each set of executables is analyzed to detect a specific executable and portions of each of the network traffic logs that are associated with the specific executable are identified. An alert is generated indicating the portions of each of the network traffic logs as likely to be associated with the specific executable.

公开(公告)号：US20180063163A1

公开(公告)日：2018-03-01

申请号：US15248252

申请日：2016-08-26

Applicant: Cisco Technology, Inc.

Inventor： Tomas Pevny ,  Petr Somol

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L67/02 ,  H04L63/1425

Abstract: Presented herein are techniques for classifying devices as being infected with malware based on learned indicators of compromise. A method includes receiving at a security analysis device, traffic flows from a plurality of entities destined for a plurality of users, aggregating the traffic flows into discrete bags of traffic, wherein the bags of traffic comprise a plurality of flows of traffic for a given user over a predetermined period of time, extracting features from the bags of traffic and aggregating the features into per-flow feature vectors, aggregating the per-flow feature vectors into per-destination domain aggregated vectors, combining the per-destination-domain aggregated vectors into a per-user aggregated vector, and classifying a computing device used by a given user as infected with malware when indicators of compromise detected in the bags of traffic indicate that the per-user aggregated vector for the given user includes suspicious features among the extracted features.

公开(公告)号：US20170230388A1

公开(公告)日：2017-08-10

申请号：US15040285

申请日：2016-02-10

Applicant: Cisco Technology, Inc.

Inventor： Tomas Pevny ,  Petr Somol

IPC: H04L29/06 ,  G06F21/53

CPC classification number: H04L63/1425 ,  G06F21/53 ,  G06F21/552 ,  H04L63/0281 ,  H04L63/1416 ,  H04L63/1433

Abstract: Identifying malicious executables by analyzing proxy logs includes, at a server having connectivity to the Internet, retrieving sets of proxy logs from a plurality of proxy servers. Each proxy server of the plurality of proxy servers is associated with a network and generates network traffic logs for one or more nodes included in the network. Then, a set of executables hosted by each of the one or more nodes associated with each of the plurality of proxy servers is determined. Each set of executables is analyzed to detect a specific executable and portions of each of the network traffic logs that are associated with the specific executable are identified. An alert is generated indicating the portions of each of the network traffic logs as likely to be associated with the specific executable.

公开(公告)号：US20160337389A1

公开(公告)日：2016-11-17

申请号：US14844379

申请日：2015-09-03

Applicant: Cisco Technology, Inc.

Inventor： Vojtech Létal ,  Tomás Pevný ,  Petr Somol

IPC: H04L29/06 ,  G06Q50/00

CPC classification number: H04L63/1425 ,  G06Q50/01 ,  H04L63/1441

Abstract: Data is collected from a database arrangement about behavior of observed entities, wherein the collected data includes one or more features associated with the observed entities. A probabilistic model is determined that correlates the one or more features with malicious and/or benign behavior of the observed entities. Data is collected from the database arrangement for unobserved entities that have at least one common feature with at least one of the observed entities. One of the unobserved entities is determined to be a malicious entity based on the at least one common feature and the probabilistic model. Network policies are applied to packets sent from the malicious entity.

Abstract translation: 从关于观察到的实体的行为的数据库布置中收集数据，其中所收集的数据包括与所观察到的实体相关联的一个或多个特征。 确定将一个或多个特征与观察到的实体的恶意和/或良性行为相关联的概率模型。 从与观察到的实体中的至少一个具有至少一个共同特征的未观察实体的数据库布置中收集数据。 基于至少一个共同特征和概率模型，将未观察实体之一确定为恶意实体。 网络策略适用于从恶意实体发送的数据包。