公开(公告)号：US10462047B2

公开(公告)日：2019-10-29

申请号：US15483534

申请日：2017-04-10

Applicant: Cisco Technology, Inc.

Inventor： Kent Leung ,  Jianxin Wang

IPC: H04L12/721 ,  H04L29/08 ,  H04L29/12 ,  H04L12/851 ,  H04L12/741 ,  H04L12/26

Abstract: An extended service-function chain (SFC) proxy is hosted on a network node and connected to a service path formed by one or more network nodes hosting a chain of service-functions applied to packets traversing the service path. The packets each include a service header having a service path identifier and a service index. A packet of a traffic flow destined for a service-function is received from the service path and sent to the service-function. An indication to offload the traffic flow is received from the service-function. The indication is stored in a flow table having entries each identifying a respective traffic flow. A subsequent packet of the traffic flow is received from the service path. The flow table is searched for the indication to offload the traffic flow. Upon finding the indication, the service-function is bypassed, and the subsequent packet is forwarded along the service path.

公开(公告)号：US20190020736A1

公开(公告)日：2019-01-17

申请号：US15648014

申请日：2017-07-12

Applicant: Cisco Technology, Inc.

Inventor： Pradeep Patel ,  Jianxin Wang ,  Jonathan Augustine Kunder ,  Ashish Dey

IPC: H04L29/06 ,  H04L12/715

Abstract: In one example, a service function forwarder of a service function chain enabled domain receives, from a classifier of the service function chain enabled domain, network traffic assigned to a service function path that includes at least one service node configured to apply a service function to the network traffic. The service function forwarder forwards the network traffic along the service function path. The service function forwarder receives, from the at least one service node, instructions for dynamically assigning a particular service function path to predicted network traffic that the at least one service node predicts will be triggered by the network traffic. The service function forwarder forwards the instructions to the classifier.

公开(公告)号：US20140082204A1

公开(公告)日：2014-03-20

申请号：US13623127

申请日：2012-09-20

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Hari Shankar ,  Jianxin Wang ,  Daryl Odnert ,  Manju Radhakrishnan ,  Andrew E. Ossipov

IPC: G06F15/16

CPC classification number: H04L63/166

Abstract: Techniques are presented for seamless engagement and disengagement of Transport Layer Security proxy services. A first initial message of a handshaking procedure for a first secure communication session between a first device and a second device is intercepted at a proxy device. The first initial message of the handshaking procedure is saved at the proxy device. A second initial message of a second handshaking procedure for a second secure communication session between the proxy device and the second device is sent from the proxy device to the second device. It is determined from the second handshaking procedure that inspection of the first secure communication session is not to be performed by the proxy device. The first secure communication session is established without examination of the communication traffic by the proxy device.

Abstract translation: 介绍了传输层安全代理服务的无缝接合和脱离接口的技术。 在代理设备处拦截用于第一设备和第二设备之间的第一安全通信会话的握手过程的第一初始消息。 握手过程的第一个初始消息保存在代理设备中。 用于代理设备和第二设备之间的第二安全通信会话的第二握手过程的第二初始消息被从代理设备发送到第二设备。 从第二握手程序确定第一安全通信会话的检查不被代理设备执行。 建立第一安全通信会话而不检查代理设备的通信流量。

公开(公告)号：US20240370584A1

公开(公告)日：2024-11-07

申请号：US18361344

申请日：2023-07-28

Applicant: Cisco Technology, Inc.

Inventor： Prabhat K Singh ,  Jianxin Wang ,  Surya Santosh Kumar Allena ,  Ruchika Pandey

IPC: G06F21/62

Abstract: The disclosed technology addresses the need in the art for a data loss prevention policy that is adapted to new and evolving uses of artificial intelligence tools, such as generative large language models. The present technology can use techniques such as word embeddings, or classifications using artificial intelligence tools to identify leakage of sensitive information in the context of generative large language models. The present technology can also identify and track the use of content created by artificial intelligence tools for uses within an organization.

公开(公告)号：US20220303251A1

公开(公告)日：2022-09-22

申请号：US17833458

申请日：2022-06-06

Applicant: Cisco Technology, Inc.

Inventor： Jianxin Wang ,  Hari Shankar

IPC: H04L9/40 ,  H04L9/08

Abstract: In one embodiment, a network security device is configured to monitor data traffic between a first device and a second device. The network security device may be configured to intercept a first initial message of a first encrypted handshaking procedure for a first secure communication session between the first device and the second device, the first initial message specifying a hostname that has been encrypted using first key information associated with the network security device, decrypt at least a portion of the first initial message using the first key information to determine the hostname, re-encrypt the hostname using second key information associated with the second device, and send, to the second device, a second initial message of a second encrypted handshaking procedure for a second secure communication session between the network security device and the second device, the second initial message specifying the hostname re-encrypted using the second key information.

公开(公告)号：US11412000B2

公开(公告)日：2022-08-09

申请号：US16741794

申请日：2020-01-14

Applicant: Cisco Technology, Inc.

Inventor： Michel Khouderchah ,  Jayaraman Iyer ,  Kent K. Leung ,  Jianxin Wang ,  Donovan O'Hara ,  Saman Taghavi Zargar ,  Subharthi Paul

IPC: H04L9/40 ,  H04L67/02 ,  H04L41/22

Abstract: Presented herein are methodologies for implementing application security. A method includes generating an extraction vector based on a plurality of application security rules to be enforced, transmitting the extraction vector to a first agent operating on a first network device and to a second agent operating on a second network device; receiving, separately, from the first agent and from the second agent, first metadata generated by the first agent and second metadata generated by the second agent by the agents applying the extraction vector to network traffic passing, respectively, through the first network device and the second network device. The first metadata includes a transaction ID assigned by the first agent, and the second metadata includes the same transaction ID. The method further includes correlating the first metadata with the second metadata based on the transaction ID to construct a transactional service graph for the network traffic.

公开(公告)号：US20210218714A1

公开(公告)日：2021-07-15

申请号：US16742716

申请日：2020-01-14

Applicant: Cisco Technology, Inc.

Inventor： Jianxin Wang ,  Hari Shankar

IPC: H04L29/06 ,  H04L9/08

Abstract: In one embodiment, a network security device is configured to monitor data traffic between a first device and a second device. The network security device may be configured to intercept a first initial message of a first encrypted handshaking procedure for a first secure communication session between the first device and the second device, the first initial message specifying a hostname that has been encrypted using first key information associated with the network security device, decrypt at least a portion of the first initial message using the first key information to determine the hostname, re-encrypt the hostname using second key information associated with the second device, and send, to the second device, a second initial message of a second encrypted handshaking procedure for a second secure communication session between the network security device and the second device, the second initial message specifying the hostname re-encrypted using the second key information.

公开(公告)号：US20210119974A1

公开(公告)日：2021-04-22

申请号：US17116111

申请日：2020-12-09

Applicant: Cisco Technology, Inc.

Inventor： Jianxin Wang ,  Prashanth Patil ,  Flemming Andreasen ,  Nancy Cam-Winget ,  Hari Shankar

IPC: H04L29/06

Abstract: Techniques are presented herein for engagement and disengagement of Transport Layer Security proxy services with encrypted handshaking. In one embodiment, a first initial message of a first encrypted handshaking procedure for a first secure communication session between a first device and a second device is intercepted at a proxy device. The first initial message includes first key exchange information for encrypting the first encrypted handshaking procedure. A copy of the first initial message is stored at the proxy device. A second initial message of a second encrypted handshaking procedure for a second secure communication session between the proxy device and the second device is sent from the proxy device to the second device. The second initial message includes second key exchange information for encrypting the second encrypted handshaking procedure. The proxy device determines, based on the second encrypted handshaking procedure, whether to remain engaged or to disengage.

公开(公告)号：US20200322382A1

公开(公告)日：2020-10-08

申请号：US16788999

申请日：2020-02-12

Applicant: Cisco Technology, Inc.

Inventor： Jianxin Wang ,  Nancy Cam-Winget ,  Donovan O'Hara ,  Richard Lee Barnes, II

IPC: H04L29/06

Abstract: A non-transitory computer readable medium comprising instructions stored thereon, the instructions effective to cause at least one processor to: establish trustworthiness of an application installed on a endpoint, the established trustworthiness is sufficient for an enterprise security infrastructure to treat the application installed on the endpoint and the endpoint as a trusted application and a trusted endpoint; negotiate with the trusted endpoint to determine a traffic inspection method for traffic flows originating at the trusted application that is destined for a service, the traffic inspection method is determined based on at least the trusted application, and the service; and instruct the trusted application of the determined traffic inspection method.

公开(公告)号：US10749894B2

公开(公告)日：2020-08-18

申请号：US15433294

申请日：2017-02-15

Applicant: Cisco Technology, Inc.

Inventor： Meixing Le ,  Jin Teng ,  Soumya Kumar Kalahasti ,  Jianxin Wang

IPC: H04L29/06 ,  H04L29/08 ,  G06N20/00

Abstract: In one embodiment, a device in a network generates a machine learning-based traffic model using data indicative of a particular node in the network attempting to retrieve content from a particular resource in the network. The device predicts, using the traffic model, a time at which the particular node is expected to attempt retrieving future content from the particular resource. The device causes the future content from the particular resource to be prefetched in the network prior to the predicted time. The device makes a security assessment of the prefetched content. The device causes performance of a mitigation action in the network based on the security assessment of the prefetched content and in response to the particular node attempting to retrieve the future content from the particular resource.