公开(公告)号：US20240259414A1

公开(公告)日：2024-08-01

申请号：US18632209

申请日：2024-04-10

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Cenek Skarda ,  Martin Kopp ,  Kyrylo Shcherbin ,  Jaroslav Hlavac

IPC: H04L9/40

CPC classification number: H04L63/1425

Abstract: Techniques for combining threat-related events associated with different modalities to provide a complete insight into cyber attack life cycles. The techniques may include receiving telemetry data associated with one or more modalities and detecting, based at least in part on the telemetry data, one or more abnormal events associated with security incidents. The one or more abnormal events may include at least a first abnormal event associated with a first modality and a second abnormal event associated with a second modality. The techniques may also include determining that an entity associated with the abnormal events is a same entity and, based at least in part on the entity comprising the same entity, determining that a correlation between the abnormal events is indicative of a security incident. Based at least in part on the correlation, an indication associated with the security incident may be output.

公开(公告)号：US20230281300A1

公开(公告)日：2023-09-07

申请号：US17847829

申请日：2022-06-23

Applicant: Cisco Technology, Inc.

Inventor： Pavel Prochazka ,  Stepan Dvorak ,  Lukas Bajer ,  Martin Kopp ,  Kyrylo Shcherbin

IPC: G06F21/55

CPC classification number: G06F21/55 ,  G06F2221/034

Abstract: Techniques for identifying malicious actors across datasets of different origin. The techniques may include receiving input data indicative of network interactions between entities and modalities. Based at least in part on the input data, a maliciousness score associated with a first entity may be determined. In some instances, a value of the maliciousness score may be partially based on a number of the modalities that are interacting with the first entity and also interacting with one or more malicious entities. The techniques may further include determining whether the value of the maliciousness score exceeds a threshold value and, based at least in part on the value of the maliciousness score exceeding the threshold value, a request may be made to identify the first entity as a new malicious entity.

公开(公告)号：US20230133892A1

公开(公告)日：2023-05-04

申请号：US17668639

申请日：2022-02-10

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Martin Kopp ,  Kyrylo Shcherbin ,  Jaroslav Hlavac ,  Cenek Skarda

IPC: H04L9/40

Abstract: Techniques for combining threat-related events associated with different modalities to provide a complete insight into cyber attack life cycles. The techniques may include receiving telemetry data associated with one or more modalities and detecting, based at least in part on the telemetry data, one or more abnormal events associated with security incidents. The one or more abnormal events may include at least a first abnormal event associated with a first modality and a second abnormal event associated with a second modality. The techniques may also include determining that an entity associated with the abnormal events is a same entity and, based at least in part on the entity comprising the same entity, determining that a correlation between the abnormal events is indicative of a security incident. Based at least in part on the correlation, an indication associated with the security incident may be output.

公开(公告)号：US11985154B2

公开(公告)日：2024-05-14

申请号：US17668639

申请日：2022-02-10

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Martin Kopp ,  Kyrylo Shcherbin ,  Jaroslav Hlavac ,  Cenek Skarda

IPC: H04L9/40

CPC classification number: H04L63/1425

Abstract: Techniques for combining threat-related events associated with different modalities to provide a complete insight into cyber attack life cycles. The techniques may include receiving telemetry data associated with one or more modalities and detecting, based at least in part on the telemetry data, one or more abnormal events associated with security incidents. The one or more abnormal events may include at least a first abnormal event associated with a first modality and a second abnormal event associated with a second modality. The techniques may also include determining that an entity associated with the abnormal events is a same entity and, based at least in part on the entity comprising the same entity, determining that a correlation between the abnormal events is indicative of a security incident. Based at least in part on the correlation, an indication associated with the security incident may be output.

公开(公告)号：US20240031328A1

公开(公告)日：2024-01-25

申请号：US18110138

申请日：2023-02-15

Applicant: Cisco Technology, Inc.

Inventor： Kyrylo Shcherbin ,  Jan Stercl ,  Jan Kohout ,  Martin Kopp

IPC: H04L61/4594

CPC classification number: H04L61/4594

Abstract: This disclosure describes techniques for matching entities across a computing network using data from different telemetries. The techniques include receiving telemetry data of the computing network, the telemetry data including identifying information corresponding to an entity, associated information of the computing network, and/or timestamps. The techniques also include establishing one or more time windows based at least in part on the timestamps. A particular time window may be determined to correspond to the associated information. The techniques may include attributing the associated information to the entity. In some cases, an address book may be maintained, including mappings of the identifying information, the associated information, and/or time windows.