公开(公告)号：US12063228B2

公开(公告)日：2024-08-13

申请号：US17559164

申请日：2021-12-22

Applicant: Cisco Technology, Inc.

Inventor： Akram Ismail Sheriff ,  Rajiv Asati ,  Nagendra Kumar Nainar ,  Ariel Shuper ,  Hendrikus G. P. Bosch

IPC: H04L9/40 ,  H04L41/22

CPC classification number: H04L63/1416 ,  H04L41/22 ,  H04L63/1425 ,  H04L63/1466

Abstract: In one embodiment, a method comprises: receiving, by a process, an executed function flow of a daisy chained serverless function-as-a-service (FaaS) function, the executed function flow having been injected with a particular trace identifier in response to an initial event trigger and span identifiers having been injected by each service that was executed; generating, by the process, a serverless flow graph associated with the particular trace identifier based on linking a path of serverless functions according to correlation of the span identifiers between the serverless functions; performing, by the process, a trace-based analysis of the serverless flow graph through comparison to a baseline of expectation; detecting, by the process, one or more anomalies in the serverless flow graph according to the trace-based analysis; and mitigating, by the process, the one or more anomalies in the serverless flow graph.

公开(公告)号：US12063149B2

公开(公告)日：2024-08-13

申请号：US18353702

申请日：2023-07-17

Applicant: Cisco Technology, Inc.

Inventor： Alberto Rodriguez Natal ,  Hendrikus G. P. Bosch ,  Fabio Maino ,  Lars Olaf Stefan Olofsson ,  Jeffrey Napper ,  Anubhav Gupta

IPC: H04L41/5019 ,  H04L47/10

CPC classification number: H04L41/5019 ,  H04L47/10

Abstract: Systems, methods, and computer-readable media for locally applying endpoint-specific policies to an endpoint in a network environment. A network device local to one or more endpoints in a network environment can receive from a centralized network controller one or more network-wide endpoint policies. A first endpoint of the one or more endpoints can be configured to inject policy metadata into first data traffic. Policy metadata injected into the first traffic data can be received from the first endpoint. The network device can determine one or more first endpoint-specific polices for the first endpoint by evaluation the first policy metadata with respect to the one or more network-wide endpoint policies. As follows, the one or more first endpoint-specific policies can be applied to control data traffic associated with the first endpoint.

公开(公告)号：US20240265112A1

公开(公告)日：2024-08-08

申请号：US18330214

申请日：2023-06-06

Applicant: Cisco Technology, Inc.

Inventor： Jeffrey M. Napper ,  Hendrikus G. P. Bosch ,  Jean Diaconu ,  Marcelo Yannuzzi ,  Alessandro Duminuco ,  Guillaume Sauvage De Saint Marc ,  Marc Scibelli

IPC: G06F21/57 ,  G06F9/451

CPC classification number: G06F21/577 ,  G06F9/451 ,  G06F2221/033

Abstract: A system and a method to map attack paths in a visualization interface may include storing in a memory asset inventory indicating application assets, attack vector parameters configured to indicate vulnerabilities of one or more of the application assets, and asset mapping information. A processor may determine multiple vulnerable assets in the application assets based at least in part upon the attack vector parameters. Further, the processor may obtain security parameters from a security framework indicating one or more attack techniques, associate each of the vulnerable assets to one or more of the security parameters, and generate a visual interface showing the vulnerable assets and the security parameters. The processor may determine an attack path connecting the vulnerable assets based at least in part upon the asset mapping information, and map the attack path to the application layers and the security parameters in the visual interface.

公开(公告)号：US12033010B2

公开(公告)日：2024-07-09

申请号：US18309194

申请日：2023-04-28

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G. P. Bosch ,  Jeffrey M. Napper ,  Zsolt Varga ,  Nándor István Krácser ,  Krisztián Gacsal

IPC: H04L65/00 ,  G06F9/54

CPC classification number: G06F9/547 ,  H04L65/00

Abstract: In one embodiment, a method includes generating an application stack. The application stack includes an application logic module. The method also includes embedding a service mesh module into the application stack. The method further includes managing, by the service mesh module, security of a network packet while maintaining separation of memory regions between the application logic module and the service mesh module.

公开(公告)号：US20240134979A1

公开(公告)日：2024-04-25

申请号：US18317471

申请日：2023-05-14

Applicant: Cisco Technology, Inc.

Inventor： Alexei Kravtsov ,  Giovanni Conte ,  Hendrikus G. P. Bosch

IPC: G06F21/56 ,  G06F21/57

CPC classification number: G06F21/566 ,  G06F21/577 ,  G06F2221/033

Abstract: In one embodiment, a method includes generating an application programming interface (API) definition by observing traffic. The API definition is associated with an API definition name and an API specification. The method also includes mounting the API definition with an application and deploying the application by a Continuous Integration/Continuous Delivery (CI/CD) pipeline. The method further includes implementing a runtime API and mapping the runtime API to the API definition.

公开(公告)号：US20240134725A1

公开(公告)日：2024-04-25

申请号：US18309194

申请日：2023-04-27

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G. P. Bosch ,  Jeffrey M. Napper ,  Zsolt Varga ,  Nándor István Krácser ,  Krisztián Gacsal

IPC: G06F9/54

CPC classification number: G06F9/547

Abstract: In one embodiment, a method includes generating an application stack. The application stack includes an application logic module. The method also includes embedding a service mesh module into the application stack. The method further includes managing, by the service mesh module, security of a network packet while maintaining separation of memory regions between the application logic module and the service mesh module.

公开(公告)号：US11968201B2

公开(公告)日：2024-04-23

申请号：US17141007

申请日：2021-01-04

Applicant: Cisco Technology, Inc.

Inventor： Ahmed Bakry Helmy Ahmed ,  Sape Jurrien Mullender ,  Hendrikus G. P. Bosch ,  Alessandro Duminuco ,  Jeffrey Michael Napper

IPC: H04L9/40

CPC classification number: H04L63/0815 ,  H04L63/0807 ,  H04L63/0884 ,  H04L63/164

Abstract: Operations include transmitting, on behalf of a first application, a first request to a first service provider, the first request requesting first services from the first service provider, intercepting, at a local agent, a first redirect message from the first service provider to an identity provider, receiving an identity provider cookie from the identity provider based on a validation of credentials during the authentication process, storing a copy of the identity provider cookie, transmitting, on behalf of a second application, a second request to a second service provider, the second request requesting second services from the second service provider, intercepting a second redirect message from the second service provider to the identity provider, adding the identity provider cookie to the second redirect message, and receiving validation to access the second service provider from the identity provider based on the identity provider cookie stored by the local agent.

公开(公告)号：US20240015140A1

公开(公告)日：2024-01-11

申请号：US17857678

申请日：2022-07-05

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G. P. Bosch ,  Alessandro Duminuco ,  Zohar Kaufman

IPC: H04L9/40 ,  G06F9/455 ,  G06F9/54

CPC classification number: H04L63/0281 ,  G06F9/45558 ,  G06F9/547 ,  H04L63/0236 ,  G06F2009/4557 ,  G06F2009/45595

Abstract: A system of one embodiment allows for redirecting service and API calls for containerized applications in a computer network. The system includes a memory and a processor. The system processes a plurality of application workflows of a containerized application workload. The system then identifies at least one application workflow of the plurality of application workflows and at least one workflow-specific routing rule associated with the at least one application workflow. The system then determines at least one proxy server address for each identified application workflow based on the at least one associated workflow-specific routing rule. Then the system determines at least one proxy server address for each identified application workflow based on the at least one associated workflow-specific routing rule. The system then may communicate the at least one identified application workflow to the at least one proxy server using the at least one determined proxy server addresses.

公开(公告)号：US11863588B2

公开(公告)日：2024-01-02

申请号：US16867642

申请日：2020-05-06

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G. P. Bosch ,  Sape Jurriën Mullender ,  Jeffrey Michael Napper ,  Alessandro Duminuco ,  Shivani Raghav

IPC: H04L9/00 ,  H04L9/40 ,  G06F21/57 ,  G06F9/54

CPC classification number: H04L63/20 ,  G06F9/547 ,  G06F21/575 ,  H04L63/0272 ,  H04L63/0853 ,  H04L63/1425 ,  H04L63/1433

Abstract: Dynamically tailored trust for secure application-server networking and advanced enterprise security is provided. A system can individually assess the security posture of each application connecting to the Internet from each client device in an enterprise. For each application, the system tailors a security mode of the Internet connection based on the security posture of the application. Assessment of the security posture of an application is a comprehensive inventory of the security of the application, the security of the device hosting the application, the rights and security of the user, security attributes of the intended service or website being accessed, the security of the communication channel, and so forth. A network-based controller communicates with an agent running within a secure boot mode of each client device to select a security mode for application-service connection, including lean-trust direct access to the Internet, secure VPN-like access, or no access to the Internet.

公开(公告)号：US11809571B2

公开(公告)日：2023-11-07

申请号：US17346898

申请日：2021-06-14

Applicant: Cisco Technology, Inc.

Inventor： Hendrikus G. P. Bosch ,  Alessandro Duminuco ,  Sape Jurriën Mullender

IPC: G06F21/57

CPC classification number: G06F21/577 ,  G06F2221/033

Abstract: The present disclosure is directed to systems and methods for vulnerability analysis using continuous application attestation, a method including receiving a load map associated with an application, the load map indicating loaded modules of the application; determining whether at least one notification is received indicating at least one update to the loaded modules of the application, wherein, if the at least one notification is received, the load map is updated based on the indicated at least one update, and wherein, if the at least one notification is not received, the load map is retained in an existing state; periodically retrieving call traces associated with the application, the call traces indicating executed modules of the application; and generating a continuous application attestation comprising at least a combination of the updated load map or the retained load map, and the retrieved call traces associated with the application at a given time.