-
公开(公告)号:US11956208B2
公开(公告)日:2024-04-09
申请号:US17722915
申请日:2022-04-18
Applicant: Cisco Technology, Inc.
Inventor: Martin Kopp , Lukas Machlica
CPC classification number: H04L63/02 , H04L63/1425 , H04L63/145 , G06T11/206 , G06T2200/24
Abstract: A method includes, at a server in a network, detecting for a user device network incidents relating to one or more security threats in the network using a plurality of threat detectors over a predetermined time period, each of the network incidents including one or more behavior indicators; assigning the network incidents into one or more groups, wherein each group corresponds to a type of security threat; generating a graph for a particular group of the user device, wherein the graph includes a plurality of nodes each representing a behavior indicator in the particular group, and wherein generating the graph includes assigning an edge to connect two nodes of the plurality of nodes if the two nodes correspond to behavior indicators that belong to a same network incident; and displaying the graph on a graphical user interface for a user.
-
公开(公告)号:US20200162339A1
公开(公告)日:2020-05-21
申请号:US16196543
申请日:2018-11-20
Applicant: Cisco Technology, Inc.
Inventor: Martin Vejman , Lukas Machlica
Abstract: Techniques for enriching encrypted traffic analytics are presented. In one embodiment, a method includes obtaining telemetry data for one or more domains within a network. The telemetry data includes both encrypted traffic analytics information and traffic flow information associated with the network traffic. For each domain of the one or more domains, the method also includes generating a model comprising a mapping from a plurality of traffic flow information features to at least one encrypted traffic analytics feature. The method includes generating a database comprising generated models for each of the domains and obtaining telemetry data for a target domain that includes traffic flow information, but does not include encrypted traffic analytics information. At least one encrypted traffic analytics feature of the target domain is determined based on a plurality of traffic flow information features of the target domain using the database.
-
公开(公告)号:US20190102337A1
公开(公告)日:2019-04-04
申请号:US15722412
申请日:2017-10-02
Applicant: Cisco Technology, Inc.
Inventor: Jan Brabec , Lukas Machlica
Abstract: In one embodiment, a device trains a machine learning-based malware classifier using a first randomly selected subset of samples from a training dataset. The classifier comprises a random decision forest. The device identifies, using at least a portion of the training dataset as input to the malware classifier, a set of misclassified samples from the training dataset that the malware classifier misclassifies. The device retrains the malware classifier using a second randomly selected subset of samples from the training dataset and the identified set of misclassified samples. The device adjusts prediction labels of individual leaves of the random decision forest of the retrained malware classifier based in part on decision changes in the forest that result from assessing the entire training dataset with the classifier. The device sends the malware classifier with the adjusted prediction labels for deployment into a network.
-
公开(公告)号:US20220239630A1
公开(公告)日:2022-07-28
申请号:US17722915
申请日:2022-04-18
Applicant: Cisco Technology, Inc.
Inventor: Martin Kopp , Lukas Machlica
IPC: H04L9/40
Abstract: A method includes, at a server in a network, detecting for a user device network incidents relating to one or more security threats in the network using a plurality of threat detectors over a predetermined time period, each of the network incidents including one or more behavior indicators; assigning the network incidents into one or more groups, wherein each group corresponds to a type of security threat; generating a graph for a particular group of the user device, wherein the graph includes a plurality of nodes each representing a behavior indicator in the particular group, and wherein generating the graph includes assigning an edge to connect two nodes of the plurality of nodes if the two nodes correspond to behavior indicators that belong to a same network incident; and displaying the graph on a graphical user interface for a user.
-
公开(公告)号:US10979451B2
公开(公告)日:2021-04-13
申请号:US15896421
申请日:2018-02-14
Applicant: Cisco Technology, Inc.
Inventor: Lukas Machlica , Ivan Nikolaev , Karel Bartos , Martin Grill
Abstract: In one embodiment, a security device in a computer network detects potential domain generation algorithm (DGA) searching activity using a domain name service (DNS) model to detect abnormally high DNS requests made by a host attempting to locate a command and control (C&C) server in the computer network. The server device also detects potential DGA communications activity based on applying a hostname-based classifier for DGA domains associated with any server internet protocol (IP) address in a data stream from the host. The security device may then correlate the potential DGA searching activity with the potential DGA communications activity, and identifies DGA performing malware based on the correlating, accordingly.
-
Patent Agency Ranking
公开(公告)号:US10187401B2
公开(公告)日:2019-01-22
申请号:US14934492
申请日:2015-11-06
Applicant: CISCO TECHNOLOGY, INC.
Inventor: Lukas Machlica , Michal Sofka
Abstract: In one embodiment, a method includes receiving packet flow data at a feature extraction hierarchy comprising a plurality of levels, each of the levels comprising a set of feature extraction functions, computing a first set of feature vectors for the packet flow data at a first level of the feature extraction hierarchy, inputting the first set of feature vectors from the first level of the feature extraction hierarchy into a second level of the feature extraction hierarchy to compute a second set of feature vectors, and transmitting a final feature vector to a classifier to identify malicious traffic. An apparatus and logic are also disclosed herein.
-
公开(公告)号:US10885469B2
公开(公告)日:2021-01-05
申请号:US15722412
申请日:2017-10-02
Applicant: Cisco Technology, Inc.
Inventor: Jan Brabec , Lukas Machlica
Abstract: In one embodiment, a device trains a machine learning-based malware classifier using a first randomly selected subset of samples from a training dataset. The classifier comprises a random decision forest. The device identifies, using at least a portion of the training dataset as input to the malware classifier, a set of misclassified samples from the training dataset that the malware classifier misclassifies. The device retrains the malware classifier using a second randomly selected subset of samples from the training dataset and the identified set of misclassified samples. The device adjusts prediction labels of individual leaves of the random decision forest of the retrained malware classifier based in part on decision changes in the forest that result from assessing the entire training dataset with the classifier. The device sends the malware classifier with the adjusted prediction labels for deployment into a network.
-
公开(公告)号:US10728271B2
公开(公告)日:2020-07-28
申请号:US16437417
申请日:2019-06-11
Applicant: Cisco Technology, Inc.
Inventor: Jan Brabec , Lukas Machlica
Abstract: In one embodiment, a computing device provides a feature vector as input to a random decision forest comprising a plurality of decision trees trained using a training dataset, each decision tree being configured to output a classification label prediction for the input feature vector. For each of the decision trees, the computing device determines a conditional probability of the decision tree based on a true classification label and the classification label prediction from the decision tree for the input feature vector. The computing device generates weightings for the classification label predictions from the decision trees based on the determined conditional probabilities. The computing device applies a final classification label to the feature vector based on the weightings for the classification label predictions from the decision trees.
-
公开(公告)号:US20190253435A1
公开(公告)日:2019-08-15
申请号:US15896421
申请日:2018-02-14
Applicant: Cisco Technology, Inc.
Inventor: Lukas Machlica , Ivan Nikolaev , Karel Bartos , Martin Grill
CPC classification number: H04L63/145 , G06F21/554 , G06F21/56 , H04L61/1511 , H04L63/1425 , H04L2463/144
Abstract: In one embodiment, a security device in a computer network detects potential domain generation algorithm (DGA) searching activity using a domain name service (DNS) model to detect abnormally high DNS requests made by a host attempting to locate a command and control (C&C) server in the computer network. The server device also detects potential DGA communications activity based on applying a hostname-based classifier for DGA domains associated with any server internet protocol (IP) address in a data stream from the host. The security device may then correlate the potential DGA searching activity with the potential DGA communications activity, and identifies DGA performing malware based on the correlating, accordingly.
-
公开(公告)号:US10193913B2
公开(公告)日:2019-01-29
申请号:US15228980
申请日:2016-08-04
Applicant: CISCO Technology, Inc.
Inventor: Lukas Machlica , Michal Sofka
Abstract: Systems and methods of the present disclosure provide technology to identify when network-connected devices are likely infected with malware. Network communications are be monitored during a specific time window and a graph is created for a conditional random field (CRF) model. Vertices of the graph represent devices connected to the network and an edge between two vertices indicates that one or more network communications occurred between two devices represented by the two vertices during the time window. Network devices can report observations about network behavior during the time window and the observations can be used as input for the CRF model. The CRF model can then be used to determine infection-status values for the network devices.
-
-
-
-
-
-
-
-
-
Search Results
27
records
(took 0.015 seconds)
