公开(公告)号：US20240259414A1

公开(公告)日：2024-08-01

申请号：US18632209

申请日：2024-04-10

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Cenek Skarda ,  Martin Kopp ,  Kyrylo Shcherbin ,  Jaroslav Hlavac

IPC: H04L9/40

CPC classification number: H04L63/1425

Abstract: Techniques for combining threat-related events associated with different modalities to provide a complete insight into cyber attack life cycles. The techniques may include receiving telemetry data associated with one or more modalities and detecting, based at least in part on the telemetry data, one or more abnormal events associated with security incidents. The one or more abnormal events may include at least a first abnormal event associated with a first modality and a second abnormal event associated with a second modality. The techniques may also include determining that an entity associated with the abnormal events is a same entity and, based at least in part on the entity comprising the same entity, determining that a correlation between the abnormal events is indicative of a security incident. Based at least in part on the correlation, an indication associated with the security incident may be output.

公开(公告)号：US11936683B2

公开(公告)日：2024-03-19

申请号：US17873544

申请日：2022-07-26

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L9/40 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441 ,  G06N20/20

CPC classification number: H04L63/1441 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441 ,  H04L63/0428 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/145 ,  H04L63/168 ,  G06N20/20

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

公开(公告)号：US20220239630A1

公开(公告)日：2022-07-28

申请号：US17722915

申请日：2022-04-18

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Lukas Machlica

IPC: H04L9/40

Abstract: A method includes, at a server in a network, detecting for a user device network incidents relating to one or more security threats in the network using a plurality of threat detectors over a predetermined time period, each of the network incidents including one or more behavior indicators; assigning the network incidents into one or more groups, wherein each group corresponds to a type of security threat; generating a graph for a particular group of the user device, wherein the graph includes a plurality of nodes each representing a behavior indicator in the particular group, and wherein generating the graph includes assigning an edge to connect two nodes of the plurality of nodes if the two nodes correspond to behavior indicators that belong to a same network incident; and displaying the graph on a graphical user interface for a user.

公开(公告)号：US11245675B2

公开(公告)日：2022-02-08

申请号：US16686364

申请日：2019-11-18

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Martin Kopp ,  Jan Brabec ,  Lukas Bajer

IPC: H04L29/06 ,  H04L12/26

Abstract: In one embodiment, a traffic analysis service obtains telemetry data regarding encrypted traffic associated with a particular device in the network, wherein the telemetry data comprises Transport Layer Security (TLS) features of the traffic. The service determines, based on the TLS features from the obtained telemetry data, a set of one or more TLS fingerprints for the traffic associated with the particular device. The service calculates a measure of similarity between the set of one or more TLS fingerprints for the traffic associated with the particular device and a set of one or more TLS fingerprints of traffic associated with a second device. The service determines, based on the measure of similarity, that the particular device and the second device were operated by the same user.

公开(公告)号：US10805338B2

公开(公告)日：2020-10-13

申请号：US15286728

申请日：2016-10-06

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L29/06 ,  G06N20/00 ,  H04L12/24 ,  H04L12/851

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

公开(公告)号：US20180063174A1

公开(公告)日：2018-03-01

申请号：US15247036

申请日：2016-08-25

Applicant: Cisco Technology, Inc.

Inventor： Martin Grill ,  Jan Kohout ,  Martin Kopp ,  Thomas Pevny

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/1425 ,  H04L61/1511 ,  H04L63/0236 ,  H04L63/1441 ,  H04L63/164 ,  H04L67/02

Abstract: Detecting illegitimate typosquatting with Internet Protocol (IP) information includes, at a computing device having connectivity to a network, obtaining a list of domains and filtering the list to generate a list of monitored domain strings. IP information is passively determined for domains associated with each of the monitored domain strings. A domain requested in network traffic for the network is identified as a candidate typosquatting domain and the candidate typosquatting domain is determined to be an illegitimate typosquatting domain based at least on the IP information. An action is initiated related to the illegitimate typosquatting domain.

公开(公告)号：US20220368720A1

公开(公告)日：2022-11-17

申请号：US17873544

申请日：2022-07-26

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Gril ,  David Mcgrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L9/40 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

公开(公告)号：US11336617B2

公开(公告)日：2022-05-17

申请号：US16360494

申请日：2019-03-21

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Lukas Machlica

IPC: G06T11/20 ,  H04L29/06

Abstract: A method includes, at a server in a network, detecting for a user device network incidents relating to one or more security threats in the network using a plurality of threat detectors over a predetermined time period, each of the network incidents including one or more behavior indicators; assigning the network incidents into one or more groups, wherein each group corresponds to a type of security threat; generating a graph for a particular group of the user device, wherein the graph includes a plurality of nodes each representing a behavior indicator in the particular group, and wherein generating the graph includes assigning an edge to connect two nodes of the plurality of nodes if the two nodes correspond to behavior indicators that belong to a same network incident; and displaying the graph on a graphical user interface for a user.

公开(公告)号：US11019095B2

公开(公告)日：2021-05-25

申请号：US16261682

申请日：2019-01-30

Applicant: Cisco Technology, Inc.

Inventor： Martin Grill ,  Lukas Bajer ,  Martin Kopp ,  Jan Kohout

IPC: H04L29/06

Abstract: In one embodiment, a device in a network obtains log data regarding replication of files stored on an endpoint client to a file replication service. The device tracks, based on the obtained logs, encryption changes to the files that convert the files from unencrypted files to encrypted files. The device determines that the tracked encryption changes to the files are indicative of a ransomware infection on the endpoint client. The device initiates a mitigation action regarding the ransomware infection.

公开(公告)号：US10965704B2

公开(公告)日：2021-03-30

申请号：US16447150

申请日：2019-06-20

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06 ,  H04L9/32

Abstract: In one embodiment, a device in a network receives traffic information regarding one or more secure sessions in the network. The device associates the one or more secure sessions with corresponding certificate validation check traffic indicated by the received traffic information. The device makes a self-signed certificate determination for an endpoint domain of a particular secure session based on whether the particular secure session is associated with certificate validation check traffic. The device causes the self-signed certificate determination for the endpoint domain to be used as input to a malware detector.