公开(公告)号：US20170295187A1

公开(公告)日：2017-10-12

申请号：US15091705

申请日：2016-04-06

Applicant: Cisco Technology, Inc.

Inventor： Jiri Havelka ,  Michal Sofka ,  Martin Rehák

IPC: H04L29/06

CPC classification number: H04L63/1408 ,  H04L63/1441 ,  H04L63/1483 ,  H04L2463/144 ,  H04L2463/146

Abstract: In one embodiment, a security device identifies, from monitored network traffic of one or more users, one or more suspicious domain names as candidate domains, the one or more suspicious domain names identified based on an occurrence of linguistic units used in discovered domain names within the monitored network traffic. The security device may then determine one or more features of the candidate domains, and confirms certain domains of the candidate domains as malicious domains using a parameterized classifier against the one or more features.

公开(公告)号：US09985982B1

公开(公告)日：2018-05-29

申请号：US14977444

申请日：2015-12-21

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Karel Bartos ,  Michal Sofka ,  Vojtech Franc ,  Jiri Havelka

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06F21/566 ,  H04L63/20

Abstract: In one embodiment, a method includes receiving at a security analysis device a plurality of indicators of compromise (IOCs) associated with an entity, sorting at the security analysis device, the IOCs based on a time of occurrence of each of the IOCs, creating a representation of transitions between the IOCs at the security analysis device, and generating at the security analysis device, a feature vector based on the representation of transitions. The feature vector is configured for use by a classifier in identifying malicious entities. An apparatus and logic are also disclosed herein.