公开(公告)号：US10305809B2

公开(公告)日：2019-05-28

申请号：US15353940

申请日：2016-11-17

Applicant: Cisco Technology, Inc.

Inventor： Michael Joseph Stepanek ,  Costas Kleopa ,  David McGrew ,  Blake Harrell Anderson ,  Saravanan Radhakrishnan

IPC: H04L12/00 ,  H04L12/851 ,  H04L12/825 ,  H04L12/859 ,  H04L12/931 ,  H04L29/06 ,  H04W12/12

Abstract: In one embodiment, a networking device in a network detects a traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.

公开(公告)号：US20190018955A1

公开(公告)日：2019-01-17

申请号：US15648626

申请日：2017-07-13

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Subharthi Paul

IPC: G06F21/55 ,  G06F9/44 ,  H04L29/08 ,  H04L29/06 ,  G06F11/14

CPC classification number: G06F21/554 ,  G06F9/4403 ,  G06F9/4406 ,  G06F11/1435 ,  G06F21/566 ,  G06N20/00 ,  H04L41/16 ,  H04L63/1416 ,  H04L63/1425 ,  H04L67/22

Abstract: In one embodiment, a device in a network tracks changes in a source port or address identifier indicated by network traffic associated with a particular host in the network. The device detects an operating system start event based on the track changes in the source port or address identifier indicated in the traffic data associated with the particular host. The device provides data regarding the detected operating system start event as input to a machine learning-based malware detector. The device causes performance of a mitigation action in the network when the malware detector determines that the particular host is infected with malware.

公开(公告)号：US20180332053A1

公开(公告)日：2018-11-15

申请号：US15595016

申请日：2017-05-15

Applicant: Cisco Technology, Inc.

Inventor： Brian E. Weis ,  Blake Harrell Anderson ,  Rashmikant B. Shah ,  David McGrew

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/126 ,  G06N99/005 ,  H04L63/04 ,  H04L63/08 ,  H04L63/104

Abstract: In one embodiment, a device in a network receives an access policy and a class behavioral model for a node in the network that are associated with a class asserted by the node. The device applies the access policy and class behavioral model to traffic associated with the node. The device identifies a deviation in a behavior of the node from the class behavioral model, based on the application of the class behavioral model to the traffic associated with the node. The device causes performance of a mitigation action in the network based on the identified deviation in the behavior of the node from the class behavioral model.

公开(公告)号：US20180103056A1

公开(公告)日：2018-04-12

申请号：US15286728

申请日：2016-10-06

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L29/06 ,  H04L12/851 ,  H04L12/24 ,  G06N99/00

CPC classification number: H04L63/1441 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441 ,  H04L63/0428 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/145 ,  H04L63/168

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

公开(公告)号：US20170374089A1

公开(公告)日：2017-12-28

申请号：US15191129

申请日：2016-06-23

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: H04L29/06 ,  H04L29/12 ,  H04L12/833 ,  H04L12/851 ,  H04L29/08 ,  G06N99/00

CPC classification number: H04L63/1425 ,  G06N20/00 ,  H04L47/2483 ,  H04L47/31 ,  H04L63/145 ,  H04L63/1458

Abstract: In one embodiment, a device in a first network receives traffic flow information regarding a plurality of traffic flows in the first network. The device labels the traffic flow information by associating classifier labels to the traffic flow information. The device receives a generic traffic classifier that was trained using a training data set that comprises labeled traffic flow information for a plurality of other networks and excludes the traffic flow information regarding the plurality of traffic flows in the first network. The device acclimates the generic traffic classifier to the first network using the labeled traffic flow information regarding the plurality of traffic flows in the first network.

公开(公告)号：US12244640B2

公开(公告)日：2025-03-04

申请号：US18535021

申请日：2023-12-11

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Daniel G. Wing ,  Blake Harrell Anderson ,  David McGrew

IPC: H04L9/40 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

公开(公告)号：US12238014B2

公开(公告)日：2025-02-25

申请号：US18404403

申请日：2024-01-04

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Andrew Chi ,  David Arthur McGrew ,  Saran Singh Ahluwalia

IPC: H04L47/70 ,  G06N20/00 ,  H04L43/08 ,  H04L67/10

Abstract: Techniques and mechanisms for identifying unmanaged cloud resources with endpoint and network logs and attributing the identified cloud resources to an entity of an enterprise that owns the cloud resources. The process collects data from sources, e.g., endpoint and network logs, with respect to traffic in a computer network and based at least in part on the data, extracts relationships related to the traffic. The process applies rules to the relationships to extract destinations in the computer network that provide cloud resources in a cloud environment, wherein the cloud resources are owned by an enterprise. One or more users or business entities of the enterprise are identified as accessing the cloud resources.

公开(公告)号：US20240154979A1

公开(公告)日：2024-05-09

申请号：US18416439

申请日：2024-01-18

Applicant: Cisco Technology, Inc.

Inventor： Martin Rehak ,  David McGrew ,  Blake Harrell Anderson ,  Scott William Dunlop

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/02 ,  H04L63/0428 ,  H04L63/1425 ,  H04L63/1441 ,  H04L63/20 ,  H04L63/166

Abstract: In one embodiment, a traffic inspection service executed by an intermediary device obtains, from a monitoring agent executed by an endpoint device, keying information for an encrypted traffic session between the endpoint device and a remote entity. The traffic inspection service provides a notification to the monitoring agent that acknowledges receipt of the keying information. The traffic inspection service uses the keying information to decrypt encrypted traffic from the encrypted traffic session. The traffic inspection service applies a policy to the encrypted traffic session between the endpoint device and the remote entity, based on the decrypted traffic from the session.

公开(公告)号：US11979430B2

公开(公告)日：2024-05-07

申请号：US18100502

申请日：2023-01-23

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: H04L9/40 ,  G06N5/04 ,  G06N20/00

CPC classification number: H04L63/1458 ,  G06N5/04 ,  G06N20/00 ,  H04L63/0428

Abstract: In one embodiment, a telemetry exporter in a network establishes a tunnel between the telemetry exporter and a traffic analysis service. The telemetry exporter obtains packet copies of a plurality of packets sent between devices via the network. The telemetry exporter forms a set of traffic telemetry data by discarding at least a portion of one or more of the packet copies, based on a filter policy. The telemetry exporter applies compression to the formed set of traffic telemetry data. The telemetry exporter sends, via the tunnel, the compressed set of traffic telemetry data to the traffic analysis service for analysis.

公开(公告)号：US11936683B2

公开(公告)日：2024-03-19

申请号：US17873544

申请日：2022-07-26

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L9/40 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441 ,  G06N20/20

CPC classification number: H04L63/1441 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441 ,  H04L63/0428 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/145 ,  H04L63/168 ,  G06N20/20

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.