公开(公告)号：US20220232299A1

公开(公告)日：2022-07-21

申请号：US17716214

申请日：2022-04-08

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David Arthur McGrew ,  Alison Kendler

IPC: H04Q9/02 ,  H04L9/40 ,  H04Q9/00 ,  H04L9/30

Abstract: In one embodiment, a method for classifying an encrypted flow includes receiving a plurality of packets associated with an encrypted flow traversing a network, collecting telemetry data from the flow without decrypting the flow, sending the telemetry data to a backend system for classification, using the telemetry data to classify the flow using a machine learning classifier, creating a classification response, and using the classification response to modify processing of the flow. In another embodiment, a method for classifying an encrypted flow includes receiving a plurality of packets associated with an encrypted flow traversing a network, collecting telemetry data from the first plurality of packets associated with the flow, sending the telemetry data to a backend system for classification, using the telemetry data to classify the flow using a machine learning classifier, and using the output of the classifier to modify processing of the flow.

公开(公告)号：US10362373B2

公开(公告)日：2019-07-23

申请号：US15083586

申请日：2016-03-29

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David Arthur McGrew ,  Alison Kendler

IPC: H04L9/32 ,  H04Q9/02 ,  H04L29/06 ,  H04L9/30 ,  H04Q9/00

Abstract: In one embodiment, a method includes receiving a flow including a plurality of bytes, each byte having one of a plurality of byte values, determining a byte value distribution metric based on a number of instances of each of the plurality of byte values in the flow, and transmitting telemetry data regarding the flow, the telemetry data including the byte value distribution metric.

公开(公告)号：US20230029656A1

公开(公告)日：2023-02-02

申请号：US17390319

申请日：2021-07-30

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  Andrew Chi ,  David Arthur McGrew ,  Saran Singh Ahluwalia

IPC: H04L12/911 ,  G06N20/00 ,  H04L29/08 ,  H04L12/26

Abstract: Techniques and mechanisms for identifying unmanaged cloud resources with endpoint and network logs and attributing the identified cloud resources to an entity of an enterprise that owns the cloud resources. The process collects data from sources, e.g., endpoint and network logs, with respect to traffic in a computer network and based at least in part on the data, extracts relationships related to the traffic. The process applies rules to the relationships to extract destinations in the computer network that provide cloud resources in a cloud environment, wherein the cloud resources are owned by an enterprise. One or more users or business entities of the enterprise are identified as accessing the cloud resources.

公开(公告)号：US20220360606A1

公开(公告)日：2022-11-10

申请号：US17307677

申请日：2021-05-04

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David Arthur McGrew

IPC: H04L29/06 ,  G06K9/62

Abstract: Techniques and mechanisms for using passively collected network data to automatically generate a fingerprint prevalence database without the need for endpoint ground truth. The process first clusters all observations with the same fingerprint string and similar source and destination context. The process then annotates each cluster with descriptive information and uses a rule-based system to derive an informative name from that descriptive information, e.g., “winnt amp client” or “cross-platform browser”. Optionally, the learned database may be augmented by a user to clarify custom process labels. Additionally, the generated database may be used to report the inferred processes in the same way as databases generated with endpoint ground truth.

公开(公告)号：US11272268B2

公开(公告)日：2022-03-08

申请号：US17389537

申请日：2021-07-30

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David Arthur McGrew ,  Alison Kendler

IPC: H04L29/06 ,  H04L12/24 ,  H04L29/08 ,  H04Q9/02 ,  H04Q9/00 ,  H04L9/30

Abstract: In one embodiment, a method for classifying an encrypted flow includes receiving a plurality of packets associated with an encrypted flow traversing a network, collecting telemetry data from the flow without decrypting the flow, sending the telemetry data to a backend system for classification, using the telemetry data to classify the flow using a machine learning classifier, creating a classification response, and using the classification response to modify processing of the flow. In another embodiment, a method for classifying an encrypted flow includes receiving a plurality of packets associated with an encrypted flow traversing a network, collecting telemetry data from the first plurality of packets associated with the flow, sending the telemetry data to a backend system for classification, using the telemetry data to classify the flow using a machine learning classifier, and using the output of the classifier to modify processing of the flow.

公开(公告)号：US20210360336A1

公开(公告)日：2021-11-18

申请号：US17389537

申请日：2021-07-30

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David Arthur McGrew ,  Alison Kendler

IPC: H04Q9/02 ,  H04L29/06 ,  H04Q9/00 ,  H04L9/30

Abstract: In one embodiment, a method for classifying an encrypted flow includes receiving a plurality of packets associated with an encrypted flow traversing a network, collecting telemetry data from the flow without decrypting the flow, sending the telemetry data to a backend system for classification, using the telemetry data to classify the flow using a machine learning classifier, creating a classification response, and using the classification response to modify processing of the flow. In another embodiment, a method for classifying an encrypted flow includes receiving a plurality of packets associated with an encrypted flow traversing a network, collecting telemetry data from the first plurality of packets associated with the flow, sending the telemetry data to a backend system for classification, using the telemetry data to classify the flow using a machine learning classifier, and using the output of the classifier to modify processing of the flow.

公开(公告)号：US20240236118A1

公开(公告)日：2024-07-11

申请号：US18152649

申请日：2023-01-10

Applicant: Cisco Technology, Inc.

Inventor： David Arthur McGrew ,  Blake Harrell Anderson

IPC: H04L9/40

CPC classification number: H04L63/1416 ,  H04L63/0236 ,  H04L63/1425

Abstract: This disclosure describes techniques and mechanisms for detecting and alerting on domain fronting within a network using network location context. Popular services are often hosted by multiple CDNs to increase resiliency and decrease latency. The techniques described herein utilize this insight to identify anomalous encrypted sessions by first creating a baseline of domain name resolutions for a given customer site. The techniques may then look for encrypted sessions destined to an IP address that is anomalous for the given domain name and is known to support domain fronting.

公开(公告)号：US20240236117A1

公开(公告)日：2024-07-11

申请号：US18152542

申请日：2023-01-10

Applicant: Cisco Technology, Inc.

Inventor： David Arthur McGrew ,  Blake Harrell Anderson

IPC: H04L9/40

CPC classification number: H04L63/1416

Abstract: This disclosure describes techniques and mechanisms for improving blocking and alerting with domain fronting intelligence. The techniques may identify Internet infrastructure that supports domain fronting through passive data collection and active scanning of the data. The results of the active scanning are then used to generate enhanced threat intelligence feeds that associate indicators of compromise with their support of domain fronting. The new feeds are then used to perform more aggressive blocking, raise weak alerts that can be correlated to other alerts, and to create a more secure DNS system by de-prioritizing infrastructure that supports domain fronting for DNS responses.

公开(公告)号：US11936690B2

公开(公告)日：2024-03-19

申请号：US18095443

申请日：2023-01-10

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David Arthur McGrew

IPC: H04L27/06 ,  G06F18/22 ,  G06F18/23 ,  H04L9/40

CPC classification number: H04L63/166 ,  G06F18/22 ,  G06F18/23 ,  H04L63/306

Abstract: Techniques and mechanisms for using passively collected network data to automatically generate a fingerprint prevalence database without the need for endpoint ground truth. The process first clusters all observations with the same fingerprint string and similar source and destination context. The process then annotates each cluster with descriptive information and uses a rule-based system to derive an informative name from that descriptive information, e.g., “winnt amp client” or “cross-platform browser”. Optionally, the learned database may be augmented by a user to clarify custom process labels. Additionally, the generated database may be used to report the inferred processes in the same way as databases generated with endpoint ground truth.

公开(公告)号：US11800260B2

公开(公告)日：2023-10-24

申请号：US17154053

申请日：2021-01-21

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David Arthur McGrew ,  Alison Kendler

IPC: H04L9/12 ,  H04L9/32 ,  H04Q9/02 ,  H04L9/40 ,  H04Q9/00 ,  H04L9/30

CPC classification number: H04Q9/02 ,  H04L9/3066 ,  H04L63/0428 ,  H04L63/166 ,  H04Q9/00 ,  H04L63/0823 ,  H04Q2209/30

Abstract: In one embodiment, a method includes receiving a traffic flow including a plurality of packets encrypted using a cryptographic protocol, determining cryptographic protocol data of the traffic flow, and transmitting telemetry data of the traffic flow including the cryptographic protocol data. In another embodiment, a method includes receiving telemetry data of a traffic flow including a plurality of packets encrypted using a cryptographic protocol, the telemetry data including cryptographic protocol data of the traffic flow, classifying the traffic flow based on the cryptographic protocol data using a machine learning classifier; and taking a remedial action with respect to the traffic flow based on the classification of the traffic flow.