公开(公告)号：US10673901B2

公开(公告)日：2020-06-02

申请号：US15854879

申请日：2017-12-27

Applicant: Cisco Technology, Inc.

Inventor： Matthew Scott Robertson ,  David McGrew ,  Timothy David Keanini ,  Sunil Amin ,  Ellie Marie Daw

IPC: H04L29/06 ,  H04L9/08 ,  H04L9/32 ,  H04L9/06

Abstract: In one embodiment, a service receives captured traffic flow data regarding a traffic flow sent via a network between a first device assigned to a first network zone and a second device assigned to a second network zone. The service identifies, from the captured traffic flow data, one or more cryptographic parameters of the traffic flow. The service determines whether the one or more cryptographic parameters of the traffic flow satisfy an inter-zone policy associated with the first and second network zones. The service causes performance of a mitigation action in the network when the one or more cryptographic parameters of the traffic flow do not satisfy the inter-zone policy associated with the first and second network zones.

公开(公告)号：US20190199739A1

公开(公告)日：2019-06-27

申请号：US15851918

申请日：2017-12-22

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Martin Rehak ,  David McGrew ,  Martin Vejman ,  Tomas Pevny ,  Martin Grill ,  Jan Kohout

IPC: H04L29/06 ,  G06F21/53 ,  G06N99/00

CPC classification number: H04L63/1416 ,  G06F21/53 ,  G06F21/6245 ,  G06N20/00 ,  H04L41/145 ,  H04L63/0428 ,  H04L63/1425 ,  H04L63/1458 ,  H04L63/166 ,  H04L67/02 ,  H04L67/28 ,  H04L69/325

Abstract: In one embodiment, a device obtains simulation environment data regarding traffic generated within a simulation environment in which malware is executed. The device trains a malware detector using the simulation environment data. The device obtains deployment environment characteristics of a network to which the malware detector is to be deployed. The device configures the malware detector to ignore data in the simulation environment data that is associated with one or more environment characteristics that are not present in the deployment environment characteristics.

公开(公告)号：US10296744B1

公开(公告)日：2019-05-21

申请号：US14864116

申请日：2015-09-24

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Kenneth S. Beck ,  Jyoti Verma ,  Jason R. Brvenik

IPC: G06F21/56

Abstract: A method and related apparatus for performing inspection of flows within a software defined network includes monitoring an indicator indicative of a presence of malware in a selected flow in an electronic communications network, when the indicator suggests the presence of malware in the selected flow, requesting a network device to redirect the selected flow, or to copy the selected flow and send a resulting copy of the selected flow, to a security appliance, and causing the security appliance to be reconfigured in response to the indicator that suggest the presence of malware in the selected flow.

公开(公告)号：US20190052462A1

公开(公告)日：2019-02-14

申请号：US16163885

申请日：2018-10-18

Applicant: Cisco Technology, Inc.

Inventor： James Anil Pramod Kotwal ,  Chritopher Blayne Dreier ,  David Aaron Wyde ,  Kellen Mac Arb ,  David McGrew ,  Scott Fluhrer

IPC: H04L9/32 ,  H04L29/06 ,  H04L9/08

Abstract: A server sends information to a client that allows the client to establish a first key at the client. The server then receives a session ID that has been encrypted using the first key. The first key is then established at the server, which can then decrypt the session ID using the first key. After the server validates the session ID, it determines a second key that is different from the first key. The server then receives the session ID encrypted with the second key, and decrypts the session ID encrypted with the second key.

公开(公告)号：US10193907B2

公开(公告)日：2019-01-29

申请号：US15616514

申请日：2017-06-07

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Titouan Rigoudy

IPC: G06F21/55 ,  H04L29/06

Abstract: In an embodiment, a central computer performs a data processing method. The central computer receives telemetry data from intrusion sensors. The central computer stores authentication records in a hosts database. Each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer. The central computer receives a suspect record that was sent by a first intrusion sensor. The suspect record has a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender. From the hosts database, the central computer searches for a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record. The central computer generates an intrusion alert when no matching record is found.

公开(公告)号：US20180191748A1

公开(公告)日：2018-07-05

申请号：US15399003

申请日：2017-01-05

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Ivan Nikolaev

IPC: H04L29/06 ,  H04L29/12 ,  H04L29/08

CPC classification number: H04L63/1416 ,  H04L61/1523 ,  H04L61/3065 ,  H04L63/1425 ,  H04L67/02 ,  H04L67/22 ,  H04L69/02 ,  H04W12/00514

Abstract: In one embodiment, a device in a network receives a set of known user identifiers used in the network. The device receives web traffic log data regarding web traffic in the network. The web traffic log data includes header information captured from the web traffic and a plurality of client addresses associated with the web traffic. The device detects a particular one of the set of known user identifiers in the header information captured from the web traffic associated with a particular one of the plurality of client addresses. The device makes an association between the particular detected user identifier and the particular client address.

公开(公告)号：US09894055B2

公开(公告)日：2018-02-13

申请号：US15010003

申请日：2016-01-29

Applicant: Cisco Technology, Inc.

Inventor： Vincent E. Parla ,  David McGrew ,  Andrzej Kielbasinski

IPC: G06F7/04 ,  H04L29/06

CPC classification number: H04L63/0815 ,  H04L63/04 ,  H04L63/08 ,  H04L63/0884

Abstract: An authentication request is generated when a user of a client device attempts to initiate a user session with an application managed by a service provider. An authentication response is generated based on credentials received from the user. The authentication response includes an assertion on behalf of the user. A delivery resource locator for the assertion is rewritten to a resource locator of a proxy in order to redirect the assertion to the proxy. The authentication response is sent to the client device together with the resource locator of the proxy in order to cause the client device to send the assertion to the proxy that decodes the re-written resource locator and sends the assertion to the service provider.

公开(公告)号：US20170374016A1

公开(公告)日：2017-12-28

申请号：US15191172

申请日：2016-06-23

Applicant: Cisco Technology, Inc.

Inventor： K. Tirumaleswar Reddy ,  David McGrew ,  Blake Harrell Anderson ,  Daniel G. Wing

IPC: H04L29/12 ,  H04L29/08 ,  H04L12/721 ,  H04L29/06

CPC classification number: H04L61/1511 ,  H04L47/2433 ,  H04L61/1541 ,  H04L63/0428 ,  H04L67/322 ,  H04L69/22

Abstract: In one embodiment, a device in a network receives domain name system (DNS) information for a domain. The DNS information includes one or more service tags indicative of one or more services offered by the domain. The device detects an encrypted traffic flow associated with the domain. The device identifies a service associated with the encrypted traffic flow based on the one or more service tags. The device prioritizes the encrypted traffic flow based on the identified service associated with the encrypted traffic flow.

公开(公告)号：US20160255098A1

公开(公告)日：2016-09-01

申请号：US14963915

申请日：2015-12-09

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  John Foley

IPC: H04L29/06

CPC classification number: H04L63/123 ,  H04L9/30 ,  H04L63/0435 ,  H04L63/1466

Abstract: A method of providing anti-replay protection, authentication, and encryption with minimal data overhead is provided. A sender uses an arbitrary-length pseudorandom permutation to encrypt messages that include plaintext and successively increasing sequence numbers, to produce ciphertext messages. The sender transmits the ciphertext messages. A receiver receives the ciphertext messages and, for each received ciphertext message, performs the following operations. The receiver decrypts the given ciphertext message to recover plaintext and a candidate sequence number from the message. The receiver determines if the candidate sequence number is in any one of multiple non-contiguous acceptable sequence number windows having respective sequence number ranges that are based on at least one of a highest sequence number previously accepted and a last sequence number that was previously rejected, as established based on processing of previously received ciphertext messages.

Abstract translation: 提供了一种以最少数据开销提供反重放保护，认证和加密的方法。 发送方使用任意长度的伪随机排列来加密包括明文和连续增加的序列号的消息，以产生密文消息。 发送方发送密文消息。 接收者接收密文消息，对于每个收到的密文消息，执行以下操作。 接收机解密给定的密文消息，从消息中恢复明文和候选序列号。 接收机确定候选序列号是否具有基于先前接受的最高序列号和先前拒绝的最后序列号中的至少一个的具有相应序列号范围的多个不连续可接受序列号窗口中的任一个， 如基于先前接收的密文消息的处理所建立的。

公开(公告)号：US20160234234A1

公开(公告)日：2016-08-11

申请号：US14614530

申请日：2015-02-05

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Kenneth S. Beck

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L45/124 ,  H04L45/125 ,  H04L63/18 ,  H04L63/20

Abstract: Techniques are presented herein that allow for arranging traffic flows in a network, and using the capabilities for inspection, recording, and enforcement around the network, in a way that makes the best use of the resources. A software defined network (SDN) interface between the network and security applications exposes a programmatic way to control security resources around the network such that they are optimally utilized. The SDN interface prioritizes and optimizes the use of security elements in the network. Security requests with corresponding priorities are used by a network controller to direct traffic flows through appropriate security elements, such as recording, inspection, or enforcement elements. The configuration of traffic flows is optimized with respect to the capacity of the communication links, as well as the priority of the respective security requests.

Abstract translation: 本文给出了允许在网络中布置交通流并且以最佳利用资源的方式使用围绕网络进行检查，记录和执行的能力的技术。 网络和安全应用程序之间的软件定义网络（SDN）接口公开了一种编程方式来控制网络周围的安全资源，以便最佳地利用网络。 SDN接口优先考虑并优化网络中安全元素的使用。 网络控制器使用具有相应优先级的安全请求来引导流量通过适当的安全元素，例如记录，检查或强制元素。 针对通信链路的容量以及相应的安全请求的优先级，优化业务流的配置。