-
公开(公告)号:US11985154B2
公开(公告)日:2024-05-14
申请号:US17668639
申请日:2022-02-10
Applicant: Cisco Technology, Inc.
Inventor: Jan Kohout , Martin Kopp , Kyrylo Shcherbin , Jaroslav Hlavac , Cenek Skarda
IPC: H04L9/40
CPC classification number: H04L63/1425
Abstract: Techniques for combining threat-related events associated with different modalities to provide a complete insight into cyber attack life cycles. The techniques may include receiving telemetry data associated with one or more modalities and detecting, based at least in part on the telemetry data, one or more abnormal events associated with security incidents. The one or more abnormal events may include at least a first abnormal event associated with a first modality and a second abnormal event associated with a second modality. The techniques may also include determining that an entity associated with the abnormal events is a same entity and, based at least in part on the entity comprising the same entity, determining that a correlation between the abnormal events is indicative of a security incident. Based at least in part on the correlation, an indication associated with the security incident may be output.
-
公开(公告)号:US20240031328A1
公开(公告)日:2024-01-25
申请号:US18110138
申请日:2023-02-15
Applicant: Cisco Technology, Inc.
Inventor: Kyrylo Shcherbin , Jan Stercl , Jan Kohout , Martin Kopp
IPC: H04L61/4594
CPC classification number: H04L61/4594
Abstract: This disclosure describes techniques for matching entities across a computing network using data from different telemetries. The techniques include receiving telemetry data of the computing network, the telemetry data including identifying information corresponding to an entity, associated information of the computing network, and/or timestamps. The techniques also include establishing one or more time windows based at least in part on the timestamps. A particular time window may be determined to correspond to the associated information. The techniques may include attributing the associated information to the entity. In some cases, an address book may be maintained, including mappings of the identifying information, the associated information, and/or time windows.
-
公开(公告)号:US20210152526A1
公开(公告)日:2021-05-20
申请号:US16686364
申请日:2019-11-18
Applicant: Cisco Technology, Inc.
Inventor: Jan Kohout , Martin Kopp , Jan Brabec , Lukas Bajer
Abstract: In one embodiment, a traffic analysis service obtains telemetry data regarding encrypted traffic associated with a particular device in the network, wherein the telemetry data comprises Transport Layer Security (TLS) features of the traffic. The service determines, based on the TLS features from the obtained telemetry data, a set of one or more TLS fingerprints for the traffic associated with the particular device. The service calculates a measure of similarity between the set of one or more TLS fingerprints for the traffic associated with the particular device and a set of one or more TLS fingerprints of traffic associated with a second device. The service determines, based on the measure of similarity, that the particular device and the second device were operated by the same user.
-
公开(公告)号:US20190319976A1
公开(公告)日:2019-10-17
申请号:US16447150
申请日:2019-06-20
Applicant: Cisco Technology, Inc.
Inventor: Martin Kopp , Martin Grill , Jan Kohout
Abstract: In one embodiment, a device in a network receives traffic information regarding one or more secure sessions in the network. The device associates the one or more secure sessions with corresponding certificate validation check traffic indicated by the received traffic information. The device makes a self-signed certificate determination for an endpoint domain of a particular secure session based on whether the particular secure session is associated with certificate validation check traffic. The device causes the self-signed certificate determination for the endpoint domain to be used as input to a malware detector.
-
公开(公告)号:US10375097B2
公开(公告)日:2019-08-06
申请号:US15386006
申请日:2016-12-21
Applicant: Cisco Technology, Inc.
Inventor: Martin Kopp , Martin Grill , Jan Kohout
Abstract: In one embodiment, a device in a network receives traffic information regarding one or more secure sessions in the network. The device associates the one or more secure sessions with corresponding certificate validation check traffic indicated by the received traffic information. The device makes a self-signed certificate determination for an endpoint domain of a particular secure session based on whether the particular secure session is associated with certificate validation check traffic. The device causes the self-signed certificate determination for the endpoint domain to be used as input to a malware detector.
-
Patent Agency Ranking
公开(公告)号:US10230747B2
公开(公告)日:2019-03-12
申请号:US14879425
申请日:2015-10-09
Applicant: Cisco Technology, Inc.
Inventor: Martin Kopp , Tomas Pevny
Abstract: In an embodiment, the method comprises receiving an identification of an anomaly associated with a false positive identification of a security threat by the intrusion detection system, wherein a first set of feature data identifies features of the anomaly; creating a plurality of training sets each comprising identifications of a plurality of samples of network communications; for the anomaly and each training set of the plurality of training sets, training a decision tree that is stored in digital memory of the security analysis computer; based at least in part on the plurality of trained decision trees, extracting a set of features that distinguish the anomaly from the plurality of samples; generating one or more rules associated with the anomaly from the extracted set of features and causing programming the security analysis computer with the one or more rules.
-
公开(公告)号:US20180337831A1
公开(公告)日:2018-11-22
申请号:US15598541
申请日:2017-05-18
Applicant: Cisco Technology, Inc.
Inventor: Martin Grill , Jan Kohout , Martin Kopp
CPC classification number: H04L67/02 , H04L43/065 , H04L63/1425 , H04L67/303 , H04W12/0027 , H04W12/06
Abstract: A computing device having connectivity to a network stores one or more existing device models, where each of the one or more existing device models is a representation of a different client device used by a first authenticated user to access the network. The computing device obtains a device sample, which comprises network traffic data that is captured during a period of time and which is generated by a particular client device associated with the authenticated user of the network. The computing device determines, based on one or more relational criteria, whether the device sample should be assigned to one of the one or more existing device models or to an additional device model that has not yet been created. The computing device then determines relative identity of the particular client device based on whether the device sample is assigned to one of the one or more device models or to an additional device model that has not yet been created.
-
28.发明授权公开(公告)号:US12160429B2
公开(公告)日:2024-12-03
申请号:US18225517
申请日:2023-07-24
Applicant: Cisco Technology, Inc.
Inventor: Petr Somol , Martin Kopp , Jan Kohout , Jan Brabec , Marc René Jacques Marie Dupont , Cenek Skarda , Lukas Bajer , Danila Khikhlukha
Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.
-
公开(公告)号:US20240356943A1
公开(公告)日:2024-10-24
申请号:US18231816
申请日:2023-08-09
Applicant: Cisco Technology, Inc.
Inventor: Martin Kopp , Cenek Skarda , Josef Krupicka , David Sislak , Michal Svoboda
IPC: H04L9/40
CPC classification number: H04L63/1425 , H04L63/1416
Abstract: Techniques described herein for extended detection and response to security anomalies in computing networks can perform automated analysis of anomalies occurring in different telemetry sources in a computer network, in order to synthesize the anomalies into analyst work units that are surfaced for further analysis by security response teams. Anomalies can initially be processed in order to identify and collect extended anomaly data. The extended anomaly data can then be used to group the anomalies according to a multi-stage grouping process which produces analyst work units. The analyst work units can be processed to produce analyst summaries that assist with analysis and response. Furthermore, the analyst work units can be prioritized for further analysis, and analyst interactions with the prioritized analyst work units can be used to influence subsequent anomaly grouping operations.
-
公开(公告)号:US20240356934A1
公开(公告)日:2024-10-24
申请号:US18231817
申请日:2023-08-09
Applicant: Cisco Technology, Inc.
Inventor: Cenek Skarda , Roman Sushkov , Martin Kopp , Lukas Batrla
CPC classification number: H04L63/1416 , H04L41/16 , H04L63/20
Abstract: Techniques described herein for extended detection and response to security anomalies in computing networks can perform automated analysis of anomalies occurring in different telemetry sources in a computer network, in order to synthesize the anomalies into analyst work units that are surfaced for further analysis by security response teams. Anomalies can initially be processed in order to identify and collect extended anomaly data. The extended anomaly data can then be used to group the anomalies according to a multi-stage grouping process which produces analyst work units. The analyst work units can be processed to produce analyst summaries that assist with analysis and response. Furthermore, the analyst work units can be prioritized for further analysis, and analyst interactions with the prioritized analyst work units can be used to influence subsequent anomaly grouping operations.
-
-
-
-
-
-
-
-
-
Search Results
44
records
(took 0.022 seconds)
