-
公开(公告)号:US11233703B2
公开(公告)日:2022-01-25
申请号:US16196543
申请日:2018-11-20
Applicant: Cisco Technology, Inc.
Inventor: Martin Vejman , Lukas Machlica
Abstract: Techniques for enriching encrypted traffic analytics are presented. In one embodiment, a method includes obtaining telemetry data for one or more domains within a network. The telemetry data includes both encrypted traffic analytics information and traffic flow information associated with the network traffic. For each domain of the one or more domains, the method also includes generating a model comprising a mapping from a plurality of traffic flow information features to at least one encrypted traffic analytics feature. The method includes generating a database comprising generated models for each of the domains and obtaining telemetry data for a target domain that includes traffic flow information, but does not include encrypted traffic analytics information. At least one encrypted traffic analytics feature of the target domain is determined based on a plurality of traffic flow information features of the target domain using the database.
-
公开(公告)号:US20200329059A1
公开(公告)日:2020-10-15
申请号:US16912471
申请日:2020-06-25
Applicant: Cisco Technology, Inc.
Inventor: Blake Harrell Anderson , David McGrew , Vincent E. Parla , Jan Jusko , Martin Grill , Martin Vejman
Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.
-
公开(公告)号:US20230129786A1
公开(公告)日:2023-04-27
申请号:US18088284
申请日:2022-12-23
Applicant: Cisco Technology, Inc.
Inventor: Blake Harrell Anderson , David McGrew , Vincent E. Parla , Jan Jusko , Martin Grill , Martin Vejman
Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.
-
4.
公开(公告)号:US20190123982A1
公开(公告)日:2019-04-25
申请号:US15790402
申请日:2017-10-23
Applicant: Cisco Technology, Inc.
Inventor: Tomas Komarek , Martin Vejman , Petr Somol
Abstract: In one embodiment, a device groups feature vectors representing network traffic flows into bags. The device forms a bag representation of a particular one of the bags by aggregating the feature vectors in the particular bag. The device extends one or more feature vectors in the particular bag with the bag representation. The extended one or more feature vectors are positive examples of a classification label for the network traffic. The device trains a network traffic classifier using training data that comprises the one or more feature vectors extended with the bag representation.
-
5.
公开(公告)号:US20180167404A1
公开(公告)日:2018-06-14
申请号:US15372580
申请日:2016-12-08
Applicant: Cisco Technology, Inc.
Inventor: Lukas Machlica , Martin Vejman
CPC classification number: H04L63/1425 , H04L43/08 , H04L43/16 , H04L63/0421 , H04L63/0478 , H04L63/1441 , H04L2463/144
Abstract: In one embodiment, a device in a network receives domain information from a plurality of traffic flows in the network. The device identifies a particular address from the plurality of traffic flows as part of an onion routing system based on the received domain information. The device distinguishes the particular address during analysis of the traffic flows by a traffic flow analyzer that includes a domain generation algorithm (DGA)-based traffic classifier. The device detects a malicious traffic flow from among the plurality of traffic flows using the traffic flow analyzer. The device causes performance of a mitigation action based on the detected malicious traffic flow.
-
公开(公告)号:US10735441B2
公开(公告)日:2020-08-04
申请号:US15848150
申请日:2017-12-20
Applicant: Cisco Technology, Inc.
Inventor: Blake Harrell Anderson , David McGrew , Vincent E. Parla , Jan Jusko , Martin Grill , Martin Vejman
Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.
-
公开(公告)号:US20200186547A1
公开(公告)日:2020-06-11
申请号:US16216361
申请日:2018-12-11
Applicant: Cisco Technology, Inc.
Inventor: Karel Bartos , Martin Vejman
Abstract: In one embodiment, a device obtains telemetry data for a plurality of encrypted traffic flows observed in a network. The device clusters the flows into observed flow clusters, based on one or more flow-level features of the obtained telemetry data, as well as malware-related traffic telemetry data into malware-related flow clusters. The observed and malware-related telemetry data are indicative of sequence of packet lengths and times (SPLT) information for the traffic flows. The device samples sets of flows from the observed and malware-related flow clusters, with each set including at least one flow from an observed flow cluster and at least one flow from a malware-related flow cluster. The device trains a deep learning neural network to determine whether a particular encrypted traffic flow is malware-related, by using the SPLT information for the sampled sets of traffic flows as input to an input layer of neurons of the deep network.
-
公开(公告)号:US20200162339A1
公开(公告)日:2020-05-21
申请号:US16196543
申请日:2018-11-20
Applicant: Cisco Technology, Inc.
Inventor: Martin Vejman , Lukas Machlica
Abstract: Techniques for enriching encrypted traffic analytics are presented. In one embodiment, a method includes obtaining telemetry data for one or more domains within a network. The telemetry data includes both encrypted traffic analytics information and traffic flow information associated with the network traffic. For each domain of the one or more domains, the method also includes generating a model comprising a mapping from a plurality of traffic flow information features to at least one encrypted traffic analytics feature. The method includes generating a database comprising generated models for each of the domains and obtaining telemetry data for a target domain that includes traffic flow information, but does not include encrypted traffic analytics information. At least one encrypted traffic analytics feature of the target domain is determined based on a plurality of traffic flow information features of the target domain using the database.
-
公开(公告)号:US11539721B2
公开(公告)日:2022-12-27
申请号:US16912471
申请日:2020-06-25
Applicant: Cisco Technology, Inc.
Inventor: Blake Harrell Anderson , David McGrew , Vincent E. Parla , Jan Jusko , Martin Grill , Martin Vejman
Abstract: In one embodiment, a service receives traffic telemetry data regarding encrypted traffic sent by an endpoint device in a network. The service analyzes the traffic telemetry data to infer characteristics of an application on the endpoint device that generated the encrypted traffic. The service receives, from a monitoring agent on the endpoint device, application telemetry data regarding the application. The service determines that the application is evasive malware based on the characteristics of the application inferred from the traffic telemetry data and on the application telemetry data received from the monitoring agent on the endpoint device. The service initiates performance of a mitigation action in the network, after determining that the application on the endpoint device is evasive malware.
-
10.
公开(公告)号:US11271833B2
公开(公告)日:2022-03-08
申请号:US15790402
申请日:2017-10-23
Applicant: Cisco Technology, Inc.
Inventor: Tomas Komarek , Martin Vejman , Petr Somol
IPC: H04L12/26 , H04L43/062 , H04L29/06 , G06N20/00 , H04L41/16 , H04L43/026
Abstract: In one embodiment, a device groups feature vectors representing network traffic flows into bags. The device forms a bag representation of a particular one of the bags by aggregating the feature vectors in the particular bag. The device extends one or more feature vectors in the particular bag with the bag representation. The extended one or more feature vectors are positive examples of a classification label for the network traffic. The device trains a network traffic classifier using training data that comprises the one or more feature vectors extended with the bag representation.
-
-
-
-
-
-
-
-
-