Extending encrypted traffic analytics with traffic flow data

    公开(公告)号:US11233703B2

    公开(公告)日:2022-01-25

    申请号:US16196543

    申请日:2018-11-20

    Abstract: Techniques for enriching encrypted traffic analytics are presented. In one embodiment, a method includes obtaining telemetry data for one or more domains within a network. The telemetry data includes both encrypted traffic analytics information and traffic flow information associated with the network traffic. For each domain of the one or more domains, the method also includes generating a model comprising a mapping from a plurality of traffic flow information features to at least one encrypted traffic analytics feature. The method includes generating a database comprising generated models for each of the domains and obtaining telemetry data for a target domain that includes traffic flow information, but does not include encrypted traffic analytics information. At least one encrypted traffic analytics feature of the target domain is determined based on a plurality of traffic flow information features of the target domain using the database.

    CORRELATING ENDPOINT AND NETWORK VIEWS TO IDENTIFY EVASIVE APPLICATIONS

    公开(公告)号:US20200329059A1

    公开(公告)日:2020-10-15

    申请号:US16912471

    申请日:2020-06-25

    Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.

    CORRELATING ENDPOINT AND NETWORK VIEWS TO IDENTIFY EVASIVE APPLICATIONS

    公开(公告)号:US20230129786A1

    公开(公告)日:2023-04-27

    申请号:US18088284

    申请日:2022-12-23

    Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.

    Correlating endpoint and network views to identify evasive applications

    公开(公告)号:US10735441B2

    公开(公告)日:2020-08-04

    申请号:US15848150

    申请日:2017-12-20

    Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.

    DETECTING ENCRYPTED MALWARE WITH SPLT-BASED DEEP NETWORKS

    公开(公告)号:US20200186547A1

    公开(公告)日:2020-06-11

    申请号:US16216361

    申请日:2018-12-11

    Abstract: In one embodiment, a device obtains telemetry data for a plurality of encrypted traffic flows observed in a network. The device clusters the flows into observed flow clusters, based on one or more flow-level features of the obtained telemetry data, as well as malware-related traffic telemetry data into malware-related flow clusters. The observed and malware-related telemetry data are indicative of sequence of packet lengths and times (SPLT) information for the traffic flows. The device samples sets of flows from the observed and malware-related flow clusters, with each set including at least one flow from an observed flow cluster and at least one flow from a malware-related flow cluster. The device trains a deep learning neural network to determine whether a particular encrypted traffic flow is malware-related, by using the SPLT information for the sampled sets of traffic flows as input to an input layer of neurons of the deep network.

    EXTENDING ENCRYPTED TRAFFIC ANALYTICS WITH TRAFFIC FLOW DATA

    公开(公告)号:US20200162339A1

    公开(公告)日:2020-05-21

    申请号:US16196543

    申请日:2018-11-20

    Abstract: Techniques for enriching encrypted traffic analytics are presented. In one embodiment, a method includes obtaining telemetry data for one or more domains within a network. The telemetry data includes both encrypted traffic analytics information and traffic flow information associated with the network traffic. For each domain of the one or more domains, the method also includes generating a model comprising a mapping from a plurality of traffic flow information features to at least one encrypted traffic analytics feature. The method includes generating a database comprising generated models for each of the domains and obtaining telemetry data for a target domain that includes traffic flow information, but does not include encrypted traffic analytics information. At least one encrypted traffic analytics feature of the target domain is determined based on a plurality of traffic flow information features of the target domain using the database.

Patent Agency Ranking