-
公开(公告)号:US20190014134A1
公开(公告)日:2019-01-10
申请号:US15643573
申请日:2017-07-07
Applicant: Cisco Technology, Inc.
Inventor: Martin Kopp , Petr Somol , Tomas Pevny , David McGrew
Abstract: In one embodiment, a device in a network maintains a plurality of machine learning-based detectors for an intrusion detection system. Each detector is associated with a different portion of a feature space of traffic characteristics assessed by the intrusion detection system. The device provides data regarding the plurality of detectors to a user interface. The device receives an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors. The device adjusts the portions of the feature space associated with the plurality of detectors based on the adjustment instruction received from the user interface.
-
公开(公告)号:US10375143B2
公开(公告)日:2019-08-06
申请号:US15248252
申请日:2016-08-26
Applicant: Cisco Technology, Inc.
Inventor: Tomas Pevny , Petr Somol
Abstract: Presented herein are techniques for classifying devices as being infected with malware based on learned indicators of compromise. A method includes receiving at a security analysis device, traffic flows from a plurality of entities destined for a plurality of users, aggregating the traffic flows into discrete bags of traffic, wherein the bags of traffic comprise a plurality of flows of traffic for a given user over a predetermined period of time, extracting features from the bags of traffic and aggregating the features into per-flow feature vectors, aggregating the per-flow feature vectors into per-destination domain aggregated vectors, combining the per-destination-domain aggregated vectors into a per-user aggregated vector, and classifying a computing device used by a given user as infected with malware when indicators of compromise detected in the bags of traffic indicate that the per-user aggregated vector for the given user includes suspicious features among the extracted features.
-
公开(公告)号:US20190114416A1
公开(公告)日:2019-04-18
申请号:US15730949
申请日:2017-10-12
Applicant: Cisco Technology, Inc.
Inventor: Tomas Komarek , Petr Somol
Abstract: In one embodiment, a device divides groups of tuples of traffic characteristics of encrypted network traffic into different pairs of the characteristics. Each of the pairs has a corresponding two dimensional (2-D) feature subspace. The device discretizes the 2-D feature subspaces, to form a plurality of bins in each feature subspace. The device assigns the pairs of the traffic characteristics in a particular group of tuples to the bins in the discretized 2-D feature subspaces. The device forms, for each group of tuples, a vector representation of the group of tuples based on the bins in the discretized 2-D feature subspaces to which the pairs of the traffic characteristics from the group are assigned. The vector representations of the groups of tuples are of a fixed dimension. The device uses the vector representations of the groups of tuples to train a machine learning-based traffic classifier.
-
公开(公告)号:US11374944B2
公开(公告)日:2022-06-28
申请号:US16224963
申请日:2018-12-19
Applicant: Cisco Technology, Inc.
Inventor: Tomas Komarek , Petr Somol
IPC: H04L29/06 , H04L9/40 , H04L41/142 , G06N20/00 , G06K9/62
Abstract: In one embodiment, a network security service forms, for each of a plurality of malware classes, a feature vector descriptor for the malware class. The service uses the feature vector descriptors for the malware classes and a symmetric mapping function to generate a training dataset having both positively and negatively labeled feature vectors. The service trains, using the training dataset, an instant threat detector to determine whether telemetry data for a particular traffic flow is within a threshold of similarity to a feature vector descriptor for a new malware class that was not part of the plurality of malware classes.
-
公开(公告)号:US11271954B2
公开(公告)日:2022-03-08
申请号:US15650060
申请日:2017-07-14
Applicant: Cisco Technology, Inc.
Inventor: Tomá{hacek over (s)} Komárek , Petr Somol
Abstract: Presented herein are techniques for classifying devices as being infected with malware based on learned indicators of compromise. A method includes receiving, at a security analysis device, a set of feature vectors extracted from one or more flows of traffic to domains for a given user in a network during a period of time. The security analysis device analyzes the feature vectors included in the set of feature vectors with a set of operators to generate a set of per-flow vectors for the given user. Based on the set of per-flow vectors for the user, the security analysis device generates a single behavioral vector representative of the given user. The security analysis device classifies a computing device associated with the given user based on the single behavioral vector and at least one of known information or other behavioral vectors for other users.
-
Patent Agency Ranking
6.发明申请公开(公告)号:US20190123982A1
公开(公告)日:2019-04-25
申请号:US15790402
申请日:2017-10-23
Applicant: Cisco Technology, Inc.
Inventor: Tomas Komarek , Martin Vejman , Petr Somol
Abstract: In one embodiment, a device groups feature vectors representing network traffic flows into bags. The device forms a bag representation of a particular one of the bags by aggregating the feature vectors in the particular bag. The device extends one or more feature vectors in the particular bag with the bag representation. The extended one or more feature vectors are positive examples of a classification label for the network traffic. The device trains a network traffic classifier using training data that comprises the one or more feature vectors extended with the bag representation.
-
公开(公告)号:US20190020671A1
公开(公告)日:2019-01-17
申请号:US15650060
申请日:2017-07-14
Applicant: Cisco Technology, Inc.
Inventor: Tomá{hacek over (s)} Komárek , Petr Somol
Abstract: Presented herein are techniques for classifying devices as being infected with malware based on learned indicators of compromise. A method includes receiving, at a security analysis device, a set of feature vectors extracted from one or more flows of traffic to domains for a given user in a network during a period of time. The security analysis device analyzes the feature vectors included in the set of feature vectors with a set of operators to generate a set of per-flow vectors for the given user. Based on the set of per-flow vectors for the user, the security analysis device generates a single behavioral vector representative of the given user. The security analysis device classifies a computing device associated with the given user based on the single behavioral vector and at least one of known information or other behavioral vectors for other users.
-
公开(公告)号:US09374383B2
公开(公告)日:2016-06-21
申请号:US14519160
申请日:2014-10-21
Applicant: Cisco Technology, Inc.
Inventor: Gustav Sourek , Karel Bartos , Filip Zelezny , Tomas Pevny , Petr Somol
CPC classification number: H04L63/1416 , H04L67/10
Abstract: In one embodiment, a system includes a processor to receive network flows, for each of one of a plurality of event-types, compare each one of the network flows to a flow-specific criteria of the one event-type to determine if the one network flow satisfies the flow-specific criteria, for each one of the event-types, for each one of the network flows satisfying the flow-specific criteria of the one event-type, assign the one network flow to a proto-event of the one-event type, test different combinations of the network flows assigned to the proto-event of the one event-type against aggregation criteria of the one event-type to determine if one combination of the network flows assigned to the proto-event of the one event-type satisfies the aggregation criteria for the one event-type and identifies an event of the one event-type from among the network flows of the proto-event. Related apparatus and methods are also described.
Abstract translation: 在一个实施例中,系统包括处理器,用于为多个事件类型中的一个事件类型中的每一个接收网络流,将每个网络流中的每一个与一个事件类型的流特定标准进行比较,以确定一个 网络流满足针对每个事件类型的流特定标准,对于满足一个事件类型的流特定标准的每个网络流,将一个网络流分配给一个事件类型的原始事件 一事件类型,测试分配给一个事件类型的原始事件的网络流的不同组合,以反映一种事件类型的聚合标准,以确定分配给原始事件的网络流的一个组合是否为 一个事件类型满足一个事件类型的聚合标准,并从原始事件的网络流中识别一个事件类型的事件。 还描述了相关装置和方法。
-
公开(公告)号:US20240106836A1
公开(公告)日:2024-03-28
申请号:US18225517
申请日:2023-07-24
Applicant: Cisco Technology, Inc.
Inventor: Petr Somol , Martin Kopp , Jan Kohout , Jan Brabec , Marc René Jacques Marie Dupont , Cenek Skarda , Lukas Bajer , Danila Khikhlukha
Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.
-
10.发明授权公开(公告)号:US11750621B2
公开(公告)日:2023-09-05
申请号:US16831197
申请日:2020-03-26
Applicant: Cisco Technology, Inc.
Inventor: Petr Somol , Martin Kopp , Jan Kohout , Jan Brabec , Marc René Jacques Marie Dupont , Cenek Skarda , Lukas Bajer , Danila Khikhlukha
Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.
-
-
-
-
-
-
-
-
-
Search Results
21
records
(took 0.015 seconds)
