公开(公告)号：US20240356942A1

公开(公告)日：2024-10-24

申请号：US18231815

申请日：2023-08-09

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Cenek Skarda

IPC: H04L9/40

CPC classification number: H04L63/1425 ,  H04L63/1416

Abstract: Techniques described herein for extended detection and response to security anomalies in computing networks can perform automated analysis of anomalies occurring in different telemetry sources in a computer network, in order to synthesize the anomalies into analyst work units that are surfaced for further analysis by security response teams. Anomalies can initially be processed in order to identify and collect extended anomaly data. The extended anomaly data can then be used to group the anomalies according to a multi-stage grouping process which produces analyst work units. The analyst work units can be processed to produce analyst summaries that assist with analysis and response. Furthermore, the analyst work units can be prioritized for further analysis, and analyst interactions with the prioritized analyst work units can be used to influence subsequent anomaly grouping operations.

公开(公告)号：US20230281300A1

公开(公告)日：2023-09-07

申请号：US17847829

申请日：2022-06-23

Applicant: Cisco Technology, Inc.

Inventor： Pavel Prochazka ,  Stepan Dvorak ,  Lukas Bajer ,  Martin Kopp ,  Kyrylo Shcherbin

IPC: G06F21/55

CPC classification number: G06F21/55 ,  G06F2221/034

Abstract: Techniques for identifying malicious actors across datasets of different origin. The techniques may include receiving input data indicative of network interactions between entities and modalities. Based at least in part on the input data, a maliciousness score associated with a first entity may be determined. In some instances, a value of the maliciousness score may be partially based on a number of the modalities that are interacting with the first entity and also interacting with one or more malicious entities. The techniques may further include determining whether the value of the maliciousness score exceeds a threshold value and, based at least in part on the value of the maliciousness score exceeding the threshold value, a request may be made to identify the first entity as a new malicious entity.

公开(公告)号：US20230133892A1

公开(公告)日：2023-05-04

申请号：US17668639

申请日：2022-02-10

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Martin Kopp ,  Kyrylo Shcherbin ,  Jaroslav Hlavac ,  Cenek Skarda

IPC: H04L9/40

Abstract: Techniques for combining threat-related events associated with different modalities to provide a complete insight into cyber attack life cycles. The techniques may include receiving telemetry data associated with one or more modalities and detecting, based at least in part on the telemetry data, one or more abnormal events associated with security incidents. The one or more abnormal events may include at least a first abnormal event associated with a first modality and a second abnormal event associated with a second modality. The techniques may also include determining that an entity associated with the abnormal events is a same entity and, based at least in part on the entity comprising the same entity, determining that a correlation between the abnormal events is indicative of a security incident. Based at least in part on the correlation, an indication associated with the security incident may be output.

公开(公告)号：US10805377B2

公开(公告)日：2020-10-13

申请号：US15598541

申请日：2017-05-18

Applicant: Cisco Technology, Inc.

Inventor： Martin Grill ,  Jan Kohout ,  Martin Kopp

IPC: H04L29/08 ,  H04W12/06 ,  H04W12/00 ,  H04L29/06 ,  H04L12/26

Abstract: A computing device having connectivity to a network stores one or more existing device models, where each of the one or more existing device models is a representation of a different client device used by a first authenticated user to access the network. The computing device obtains a device sample, which comprises network traffic data that is captured during a period of time and which is generated by a particular client device associated with the authenticated user of the network. The computing device determines, based on one or more relational criteria, whether the device sample should be assigned to one of the one or more existing device models or to an additional device model that has not yet been created. The computing device then determines relative identity of the particular client device based on whether the device sample is assigned to one of the one or more device models or to an additional device model that has not yet been created.

公开(公告)号：US20200304462A1

公开(公告)日：2020-09-24

申请号：US16360494

申请日：2019-03-21

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Lukas Machlica

IPC: H04L29/06

Abstract: A method includes, at a server in a network, detecting for a user device network incidents relating to one or more security threats in the network using a plurality of threat detectors over a predetermined time period, each of the network incidents including one or more behavior indicators; assigning the network incidents into one or more groups, wherein each group corresponds to a type of security threat; generating a graph for a particular group of the user device, wherein the graph includes a plurality of nodes each representing a behavior indicator in the particular group, and wherein generating the graph includes assigning an edge to connect two nodes of the plurality of nodes if the two nodes correspond to behavior indicators that belong to a same network incident; and displaying the graph on a graphical user interface for a user.

公开(公告)号：US20200244672A1

公开(公告)日：2020-07-30

申请号：US16261682

申请日：2019-01-30

Applicant: Cisco Technology, Inc.

Inventor： Martin Grill ,  Lukas Bajer ,  Martin Kopp ,  Jan Kohout

IPC: H04L29/06

Abstract: In one embodiment, a device in a network obtains log data regarding replication of files stored on an endpoint client to a file replication service. The device tracks, based on the obtained logs, encryption changes to the files that convert the files from unencrypted files to encrypted files. The device determines that the tracked encryption changes to the files are indicative of a ransomware infection on the endpoint client. The device initiates a mitigation action regarding the ransomware infection.

公开(公告)号：US20200120004A1

公开(公告)日：2020-04-16

申请号：US16156020

申请日：2018-10-10

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Martin Grill ,  Martin Kopp ,  Lukas Bajer

IPC: H04L12/26 ,  H04L12/851

Abstract: In one embodiment, a traffic analysis service obtains telemetry data regarding network traffic associated with a device in a network. The traffic analysis service forms a histogram of frequencies of the traffic features from the telemetry data for the device. The traffic features are indicative of endpoints with which the device communicated. The traffic analysis service associates a device type with the device, by comparing the histogram of the traffic features from the telemetry data to histograms of traffic features associated with other devices. The traffic analysis service initiates, based on the device type associated with the device, an adjustment to treatment of the traffic associated with the device by the network.

公开(公告)号：US10601847B2

公开(公告)日：2020-03-24

申请号：US15629906

申请日：2017-06-22

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Lukas Machlica

IPC: H04L29/06 ,  G06F21/55

Abstract: A user behavior activity detection method is provided in which network traffic relating to user behavior activities in a network is monitored. Data is stored representing network traffic within a plurality of time periods, each of the time periods serving as a transaction. Subsets of the network traffic in the transactions are identified as traffic suspected of relating to certain user behavior activities. The subsets of the network traffic in the transactions are assigned into one or more groups. A determination is made of one or more detection rules for each of the one or more groups based on identifying, for each of the groups, a number of user behavior activities common to each of the subsets of the network traffic. The one or more detection rules are used to monitor future network traffic in the network to detect occurrence of the certain user behavior activities.

公开(公告)号：US10218718B2

公开(公告)日：2019-02-26

申请号：US15244486

申请日：2016-08-23

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Tomas Pevny

IPC: G06F21/55 ,  H04L29/06

Abstract: Rapidly detecting network threats with targeted detectors includes, at a computing device having connectivity to a network, determining features of background network traffic. Features are also extracted from a particular type of network threat. A characteristic of the particular type of network threat that best differentiates the features of the particular type of network threat from the features of the background network traffic is determined. A targeted detector for the particular type of network threat is created based on the characteristic and an action is applied to particular incoming network traffic identified by the targeted detector as being associated with the particular type of network threat.

公开(公告)号：US20190014134A1

公开(公告)日：2019-01-10

申请号：US15643573

申请日：2017-07-07

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Petr Somol ,  Tomas Pevny ,  David McGrew

IPC: H04L29/06 ,  G06N99/00 ,  G06F3/01

Abstract: In one embodiment, a device in a network maintains a plurality of machine learning-based detectors for an intrusion detection system. Each detector is associated with a different portion of a feature space of traffic characteristics assessed by the intrusion detection system. The device provides data regarding the plurality of detectors to a user interface. The device receives an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors. The device adjusts the portions of the feature space associated with the plurality of detectors based on the adjustment instruction received from the user interface.