公开(公告)号：US20210112102A1

公开(公告)日：2021-04-15

申请号：US17107350

申请日：2020-11-30

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Chris Allen Shenefiel ,  David McGrew ,  Robert M. Waitman

IPC: H04L29/06

Abstract: In one embodiment, a service that monitors a network obtains file characteristic data of a file stored on a first endpoint in the network. The service infers characteristics of encrypted content within encrypted traffic in the network between the first endpoint and a second endpoint, by applying a machine learning-based classifier to traffic data regarding the encrypted traffic session. The service compares the file characteristic data of the file to the inferred content characteristics of the encrypted content within the encrypted traffic, to detect the file within the encrypted traffic. The service enforces a network policy in the network, based on the detection of the file within the encrypted traffic.

公开(公告)号：US10932017B2

公开(公告)日：2021-02-23

申请号：US16436489

申请日：2019-06-10

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David Arthur McGrew ,  Alison Kendler

IPC: H04L9/32 ,  H04L9/08 ,  H04Q9/02 ,  H04L29/06 ,  H04Q9/00 ,  H04L9/30 ,  H04L9/06

Abstract: In one embodiment, a method includes receiving a flow including a plurality of bytes, each byte having one of a plurality of byte values, determining a byte value distribution metric based on a number of instances of each of the plurality of byte values in the flow, and transmitting telemetry data regarding the flow, the telemetry data including the byte value distribution metric.

公开(公告)号：US10904275B2

公开(公告)日：2021-01-26

申请号：US15364933

申请日：2016-11-30

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew

IPC: G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  H04L29/06 ,  G06N20/00 ,  H04L12/24 ,  H04L12/851

Abstract: In one embodiment, a device in a network receives traffic data regarding a plurality of observed traffic flows. The device maps one or more characteristics of the observed traffic flows from the traffic data to traffic characteristics associated with a targeted deployment environment. The device generates synthetic traffic data based on the mapped traffic characteristics associated with the targeted deployment environment. The device trains a machine learning-based traffic classifier using the synthetic traffic data.

公开(公告)号：US20210021641A1

公开(公告)日：2021-01-21

申请号：US16512474

申请日：2019-07-16

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Keith Richard Schomburg

IPC: H04L29/06 ,  G06K9/62

Abstract: In one embodiment, a device obtains telemetry data regarding an encrypted traffic session in a network. The telemetry data includes Transport Layer Security (TLS) features of the traffic session and auxiliary information indicative of a destination address of the traffic session, a destination port of the traffic session, or a server name associated with the traffic session. The device retrieves, using the obtained telemetry data, a plurality of candidate processes from a TLS fingerprint database that relates processes with telemetry data from encrypted traffic sessions initiated by those processes. The device uses a probabilistic model to assign probabilities to each of the plurality of candidate processes. The device identifies one of the plurality of candidate processes as having initiated the encrypted traffic session based on its assigned probability.

公开(公告)号：US10855698B2

公开(公告)日：2020-12-01

申请号：US15851918

申请日：2017-12-22

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Martin Rehak ,  David McGrew ,  Martin Vejman ,  Tomas Pevny ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06 ,  G06F21/53 ,  G06N20/00 ,  H04L12/24 ,  H04L29/08 ,  G06F21/62

Abstract: In one embodiment, a device obtains simulation environment data regarding traffic generated within a simulation environment in which malware is executed. The device trains a malware detector using the simulation environment data. The device obtains deployment environment characteristics of a network to which the malware detector is to be deployed. The device configures the malware detector to ignore data in the simulation environment data that is associated with one or more environment characteristics that are not present in the deployment environment characteristics.

公开(公告)号：US10805338B2

公开(公告)日：2020-10-13

申请号：US15286728

申请日：2016-10-06

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L29/06 ,  G06N20/00 ,  H04L12/24 ,  H04L12/851

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.

公开(公告)号：US20200322275A1

公开(公告)日：2020-10-08

申请号：US16910380

申请日：2020-06-24

Applicant: Cisco Technology, Inc.

Inventor： Michael Joseph Stepanek ,  Costas Kleopa ,  David McGrew ,  Blake Harrell Anderson ,  Saravanan Radhakrishnan

IPC: H04L12/851 ,  H04L12/825 ,  H04L12/859 ,  H04L12/931 ,  H04L29/06 ,  H04W12/12

Abstract: In one embodiment, a networking device in a network detects an traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.

公开(公告)号：US20190297402A1

公开(公告)日：2019-09-26

申请号：US16436489

申请日：2019-06-10

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David Arthur McGrew ,  Alison Kendler

IPC: H04Q9/02 ,  H04L9/30 ,  H04Q9/00 ,  H04L29/06

Abstract: In one embodiment, a method includes receiving a flow including a plurality of bytes, each byte having one of a plurality of byte values, determining a byte value distribution metric based on a number of instances of each of the plurality of byte values in the flow, and transmitting telemetry data regarding the flow, the telemetry data including the byte value distribution metric.

公开(公告)号：US20190199739A1

公开(公告)日：2019-06-27

申请号：US15851918

申请日：2017-12-22

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Martin Rehak ,  David McGrew ,  Martin Vejman ,  Tomas Pevny ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06 ,  G06F21/53 ,  G06N99/00

CPC classification number: H04L63/1416 ,  G06F21/53 ,  G06F21/6245 ,  G06N20/00 ,  H04L41/145 ,  H04L63/0428 ,  H04L63/1425 ,  H04L63/1458 ,  H04L63/166 ,  H04L67/02 ,  H04L67/28 ,  H04L69/325

Abstract: In one embodiment, a device obtains simulation environment data regarding traffic generated within a simulation environment in which malware is executed. The device trains a malware detector using the simulation environment data. The device obtains deployment environment characteristics of a network to which the malware detector is to be deployed. The device configures the malware detector to ignore data in the simulation environment data that is associated with one or more environment characteristics that are not present in the deployment environment characteristics.

公开(公告)号：US20180191748A1

公开(公告)日：2018-07-05

申请号：US15399003

申请日：2017-01-05

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Ivan Nikolaev

IPC: H04L29/06 ,  H04L29/12 ,  H04L29/08

CPC classification number: H04L63/1416 ,  H04L61/1523 ,  H04L61/3065 ,  H04L63/1425 ,  H04L67/02 ,  H04L67/22 ,  H04L69/02 ,  H04W12/00514

Abstract: In one embodiment, a device in a network receives a set of known user identifiers used in the network. The device receives web traffic log data regarding web traffic in the network. The web traffic log data includes header information captured from the web traffic and a plurality of client addresses associated with the web traffic. The device detects a particular one of the set of known user identifiers in the header information captured from the web traffic associated with a particular one of the plurality of client addresses. The device makes an association between the particular detected user identifier and the particular client address.