公开(公告)号：US20190253435A1

公开(公告)日：2019-08-15

申请号：US15896421

申请日：2018-02-14

Applicant: Cisco Technology, Inc.

Inventor： Lukas Machlica ,  Ivan Nikolaev ,  Karel Bartos ,  Martin Grill

IPC: H04L29/06 ,  G06F21/55 ,  G06F21/56 ,  H04L29/12

CPC classification number: H04L63/145 ,  G06F21/554 ,  G06F21/56 ,  H04L61/1511 ,  H04L63/1425 ,  H04L2463/144

Abstract: In one embodiment, a security device in a computer network detects potential domain generation algorithm (DGA) searching activity using a domain name service (DNS) model to detect abnormally high DNS requests made by a host attempting to locate a command and control (C&C) server in the computer network. The server device also detects potential DGA communications activity based on applying a hostname-based classifier for DGA domains associated with any server internet protocol (IP) address in a data stream from the host. The security device may then correlate the potential DGA searching activity with the potential DGA communications activity, and identifies DGA performing malware based on the correlating, accordingly.

公开(公告)号：US09923912B2

公开(公告)日：2018-03-20

申请号：US14960086

申请日：2015-12-04

Applicant: Cisco Technology, Inc.

Inventor： Vojtech Franc ,  Michal Sofka ,  Karel Bartos

IPC: H04L29/06 ,  G06F21/53

CPC classification number: H04L63/1425 ,  G06F21/53 ,  H04L63/0281

Abstract: Techniques are presented that identify malware network communications between a computing device and a server utilizing a detector process. Network traffic records are classified as either malware or legitimate network traffic records and divided into groups of classified network traffic records associated with network communications between the computing device and the server for a predetermined period of time. A group of classified network traffic records is labeled as malicious when at least one of the classified network traffic records in the group is malicious and as legitimate when none of the classified network traffic records in the group is malicious to obtain a labeled group of classified network traffic records. A detector process is trained on individual classified network traffic records in the labeled group of classified network traffic records and network communication between the computing device and the server is identified as malware network communication utilizing the detector process.

公开(公告)号：US20170063893A1

公开(公告)日：2017-03-02

申请号：US14960086

申请日：2015-12-04

Applicant: Cisco Technology, Inc.

Inventor： Vojtech Franc ,  Michal Sofka ,  Karel Bartos

IPC: H04L29/06 ,  G06F21/53

CPC classification number: H04L63/1425 ,  G06F21/53 ,  H04L63/0281

Abstract: Techniques are presented that identify malware network communications between a computing device and a server utilizing a detector process. Network traffic records are classified as either malware or legitimate network traffic records and divided into groups of classified network traffic records associated with network communications between the computing device and the server for a predetermined period of time. A group of classified network traffic records is labeled as malicious when at least one of the classified network traffic records in the group is malicious and as legitimate when none of the classified network traffic records in the group is malicious to obtain a labeled group of classified network traffic records. A detector process is trained on individual classified network traffic records in the labeled group of classified network traffic records and network communication between the computing device and the server is identified as malware network communication utilizing the detector process.

Abstract translation: 提出了使用检测器过程识别计算设备和服务器之间的恶意软件网络通信的技术。 网络流量记录被分类为恶意软件或合法网络流量记录，并且在预定时间段内被划分为与计算设备和服务器之间的网络通信相关联的分类网络流量记录的组。 当组中分类的网络流量记录中的至少一个是恶意的，并且当该组中的分类网络流量记录中的任何一个都不是恶意以获得分类网络的标记的组时，一组分类的网络流量记录被标记为恶意的 交通记录。 对分类网络业务记录的标记组中的各个分类网络业务记录进行检测处理，并且利用检测器处理将计算设备与服务器之间的网络通信识别为恶意软件网络通信。

公开(公告)号：US09462008B2

公开(公告)日：2016-10-04

申请号：US14519444

申请日：2014-10-21

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Michal Sofka

IPC: H04L29/06 ,  G06F21/55 ,  G06F17/30

CPC classification number: H04L63/1416 ,  G06F17/30861 ,  G06F21/552 ,  H04L63/1425 ,  H04L63/1433 ,  H04L2463/121 ,  H04L2463/142

Abstract: A system and a method are disclosed for identifying network threats based on hierarchical classification. The system receives packet flows from a data network and determines flow features for the received packet flows based on data from the packet flows. The system also classifies each packet flow into a flow class based on flow features of the packet flow. Based on a criterion, the system selects packet flows from the received packet flows and places the selected packet flows into an event set that represents an event on the network. The system determines event set features for the event set based on the flow features of the selected packet flows. The system then classifies the event set into a set class based on the determined event set features. Based on the set class, the computer system may report a threat incident on an internetworking device that originated the selected packet flows.

Abstract translation: 公开了一种基于层次分类来识别网络威胁的系统和方法。 该系统从数据网络接收分组流，并根据来自分组流的数据确定接收到的分组流的流特征。 该系统还基于分组流的流特征将每个分组流分类成流类。 基于标准，系统从接收的分组流中选择分组流，并将所选择的分组流放置在表示网络上的事件的事件集中。 该系统基于所选分组流的流特征来确定事件集的事件集特征。 然后，系统基于所确定的事件集特征将事件集合分类为集合类。 基于集合类，计算机系统可以报告发起所选分组流的互联网络设备上的威胁事件。

公开(公告)号：US09432393B2

公开(公告)日：2016-08-30

申请号：US14612623

申请日：2015-02-03

Applicant: Cisco Technology, Inc.

Inventor： Karel Bartos ,  Martin Rehak ,  Michal Sofka

IPC: G06F11/00 ,  H04L29/06 ,  G06F21/56

CPC classification number: H04L63/1416 ,  G06F17/30598 ,  G06F21/55 ,  G06F21/566 ,  H04L63/1408 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1441

Abstract: In an embodiment, a method, performed by processors of a computing device for creating and storing clusters of incident data records based on behavioral characteristic values in the records and origin characteristic values in the records, the method comprising: receiving a plurality of input incident data records comprising sets of attribute values; identifying two or more first incident data records that have a particular behavioral characteristic value; using a malicious incident behavioral data table that maps sets of behavioral characteristic values to identifiers of malicious acts in the network, and a plurality of comparison operations using the malicious incident behavioral data table and the two or more first incident data records, determining whether any of the two or more first incident data records are malicious; and if so, creating a similarity behavioral cluster record that includes the two or more first incident data records.

Abstract translation: 在一个实施例中，一种由计算设备的处理器执行的方法，用于基于记录中的行为特征值和记录中的原始特征值来创建和存储事件数据记录簇，所述方法包括：接收多个输入事件数据 包括属性值集合的记录; 识别具有特定行为特征值的两个或更多个第一事件数据记录; 使用将行为特征值集合映射到网络中的恶意行为的标识符的恶意事件行为数据表，以及使用恶意事件行为数据表和两个或更多个第一事件数据记录的多个比较操作，确定是否存在 两个或多个第一事件数据记录是恶意的; 如果是，则创建包括两个或更多个第一事件数据记录的相似性行为集群记录。

公开(公告)号：US09374383B2

公开(公告)日：2016-06-21

申请号：US14519160

申请日：2014-10-21

Applicant: Cisco Technology, Inc.

Inventor： Gustav Sourek ,  Karel Bartos ,  Filip Zelezny ,  Tomas Pevny ,  Petr Somol

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/1416 ,  H04L67/10

Abstract: In one embodiment, a system includes a processor to receive network flows, for each of one of a plurality of event-types, compare each one of the network flows to a flow-specific criteria of the one event-type to determine if the one network flow satisfies the flow-specific criteria, for each one of the event-types, for each one of the network flows satisfying the flow-specific criteria of the one event-type, assign the one network flow to a proto-event of the one-event type, test different combinations of the network flows assigned to the proto-event of the one event-type against aggregation criteria of the one event-type to determine if one combination of the network flows assigned to the proto-event of the one event-type satisfies the aggregation criteria for the one event-type and identifies an event of the one event-type from among the network flows of the proto-event. Related apparatus and methods are also described.

Abstract translation: 在一个实施例中，系统包括处理器，用于为多个事件类型中的一个事件类型中的每一个接收网络流，将每个网络流中的每一个与一个事件类型的流特定标准进行比较，以确定一个 网络流满足针对每个事件类型的流特定标准，对于满足一个事件类型的流特定标准的每个网络流，将一个网络流分配给一个事件类型的原始事件 一事件类型，测试分配给一个事件类型的原始事件的网络流的不同组合，以反映一种事件类型的聚合标准，以确定分配给原始事件的网络流的一个组合是否为 一个事件类型满足一个事件类型的聚合标准，并从原始事件的网络流中识别一个事件类型的事件。 还描述了相关装置和方法。