公开(公告)号：US11909741B2

公开(公告)日：2024-02-20

申请号：US17330641

申请日：2021-05-26

Applicant: Cisco Technology, Inc.

Inventor： Brian E. Weis ,  Blake Harrell Anderson ,  Rashmikant B. Shah ,  David McGrew

IPC: H04L29/06 ,  G06N99/00 ,  H04L9/40 ,  G06N20/00

CPC classification number: H04L63/104 ,  G06N20/00 ,  H04L63/20

Abstract: In one embodiment, a device in a network receives an access policy and a class behavioral model for a node in the network that are associated with a class asserted by the node. The device applies the access policy and class behavioral model to traffic associated with the node. The device identifies a deviation in a behavior of the node from the class behavioral model, based on the application of the class behavioral model to the traffic associated with the node. The device causes performance of a mitigation action in the network based on the identified deviation in the behavior of the node from the class behavioral model.

公开(公告)号：US11888760B2

公开(公告)日：2024-01-30

申请号：US17390319

申请日：2021-07-30

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Andrew Chi ,  David Arthur McGrew ,  Saran Singh Ahluwalia

IPC: H04L47/70 ,  H04L43/08 ,  H04L67/10 ,  G06N20/00

CPC classification number: H04L47/82 ,  G06N20/00 ,  H04L43/08 ,  H04L67/10

Abstract: Techniques and mechanisms for identifying unmanaged cloud resources with endpoint and network logs and attributing the identified cloud resources to an entity of an enterprise that owns the cloud resources. The process collects data from sources, e.g., endpoint and network logs, with respect to traffic in a computer network and based at least in part on the data, extracts relationships related to the traffic. The process applies rules to the relationships to extract destinations in the computer network that provide cloud resources in a cloud environment, wherein the cloud resources are owned by an enterprise. One or more users or business entities of the enterprise are identified as accessing the cloud resources.

公开(公告)号：US11843632B2

公开(公告)日：2023-12-12

申请号：US18096143

申请日：2023-01-12

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  Daniel G. Wing ,  Blake Harrell Anderson ,  David McGrew

IPC: H04L9/40 ,  G06N20/00

CPC classification number: H04L63/1458 ,  G06N20/00 ,  H04L63/1425 ,  H04L2463/144

Abstract: In one embodiment, a device in a network receives an attack mitigation request regarding traffic in the network. The device causes an assessment of the traffic, in response to the attack mitigation request. The device determines that an attack detector associated with the attack mitigation request incorrectly assessed the traffic, based on the assessment of the traffic. The device causes an update to an attack detection model of the attack detector, in response to determining that the attack detector incorrectly assessed the traffic.

公开(公告)号：US11539721B2

公开(公告)日：2022-12-27

申请号：US16912471

申请日：2020-06-25

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Vincent E. Parla ,  Jan Jusko ,  Martin Grill ,  Martin Vejman

IPC: H04L29/06 ,  H04L9/40 ,  G06F21/55 ,  H04L9/32 ,  G06F21/44 ,  G06F21/52

Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.

公开(公告)号：US11477548B2

公开(公告)日：2022-10-18

申请号：US17716214

申请日：2022-04-08

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David Arthur McGrew ,  Alison Kendler

IPC: H04L29/06 ,  H04L12/24 ,  H04L29/08 ,  H04Q9/02 ,  H04L9/40 ,  H04Q9/00 ,  H04L9/30

Abstract: In one embodiment, a method for classifying an encrypted flow includes receiving a plurality of packets associated with an encrypted flow traversing a network, collecting telemetry data from the flow without decrypting the flow, sending the telemetry data to a backend system for classification, using the telemetry data to classify the flow using a machine learning classifier, creating a classification response, and using the classification response to modify processing of the flow. In another embodiment, a method for classifying an encrypted flow includes receiving a plurality of packets associated with an encrypted flow traversing a network, collecting telemetry data from the first plurality of packets associated with the flow, sending the telemetry data to a backend system for classification, using the telemetry data to classify the flow using a machine learning classifier, and using the output of the classifier to modify processing of the flow.

公开(公告)号：US20220200914A1

公开(公告)日：2022-06-23

申请号：US17694060

申请日：2022-03-14

Applicant: Cisco Technology, Inc.

Inventor： Michael Joseph Stepanek ,  Costas Kleopa ,  David McGrew ,  Blake Harrell Anderson ,  Saravanan Radhakrishnan

IPC: H04L47/2441 ,  H04L47/2483 ,  H04L47/25 ,  H04L47/2475 ,  H04L49/35 ,  H04L9/40 ,  H04W12/12 ,  H04W12/122 ,  H04W12/128

Abstract: In one embodiment, a networking device in a network detects an traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.

公开(公告)号：US20220078208A1

公开(公告)日：2022-03-10

申请号：US17531063

申请日：2021-11-19

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Keith Richard Schomburg ,  Michael Scott Dorsey ,  Constantinos Kleopa

IPC: H04L29/06

Abstract: In one embodiment, a device obtains one or more packets of a traffic session in a network. The device determines, for a particular packet of the one or more packets that match a filter, a fingerprint for the particular packet. The device identifies a plurality of traffic sessions whose packets match the fingerprint, wherein each of the plurality of traffic sessions is associated with at least one process. The device updates a process with the traffic session by applying a classifier to the plurality of traffic sessions.

公开(公告)号：US20210400011A1

公开(公告)日：2021-12-23

申请号：US17466370

申请日：2021-09-03

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing

IPC: H04L29/12 ,  H04L29/08 ,  H04L29/06

Abstract: In one embodiment, a device in a network receives domain name system (DNS) information for a domain. The DNS information includes one or more service tags indicative of one or more services offered by the domain. The device detects an encrypted traffic flow associated with the domain. The device identifies a service associated with the encrypted traffic flow based on the one or more service tags. The device prioritizes the encrypted traffic flow based on the identified service associated with the encrypted traffic flow.

公开(公告)号：US11196546B2

公开(公告)日：2021-12-07

申请号：US16701373

申请日：2019-12-03

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Andrew Chi ,  David McGrew ,  Scott William Dunlop

IPC: H04L29/06 ,  H04W72/04 ,  H04L9/08 ,  G06N5/02

Abstract: In one embodiment, an apparatus captures a memory dump of a device in a sandbox environment executing a malware sample. The apparatus identifies a cryptographic key based on a particular data structure in the captured memory dump. The apparatus uses the identified cryptographic key to decrypt encrypted traffic sent by the device. The apparatus labels at least a portion of the decrypted traffic sent by the device as benign. The apparatus trains a machine learning-based traffic classifier based on the at least a portion of the decrypted traffic sent by the device and labeled as benign.

公开(公告)号：US20210194894A1

公开(公告)日：2021-06-24

申请号：US16724746

申请日：2019-12-23

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: H04L29/06

Abstract: In one embodiment, a switch in a software-defined network receives a packet sent by an endpoint device via the SDN. The switch makes a copy of the packet based on one or more header fields of the packet matching one or more flow table entries of the switch. The switch forms telemetry data for reporting to a traffic analysis service by applying a metadata filter to the copy of the packet. The metadata filter prevents at least a portion of the copy of the packet from inclusion in the telemetry data. The switch sends the formed telemetry data to the traffic analysis service.