公开(公告)号：US10021070B2

公开(公告)日：2018-07-10

申请号：US14979042

申请日：2015-12-22

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Jin Teng ,  Subharthi Paul ,  Thilan Niroshaka Ganegedara ,  Xun Wang ,  Saman Taghavi Zargar ,  Jayaraman Iyer

IPC: G06F17/00 ,  H04L29/06 ,  G06F17/30

CPC classification number: H04L63/0227 ,  G06F16/2379 ,  H04L63/0218 ,  H04L63/105

Abstract: In one embodiment, a method includes receiving capability information from an end host at a centralized security matrix in communication with a firewall and a plurality of end hosts, verifying at the centralized security matrix, a trust level of the end host, assigning at the centralized security matrix, a firewall function to the end host based on the trust level and capability information, and notifying the firewall of the firewall function assigned to the end host. Firewall functions are offloaded from the firewall to the end hosts by the centralized security matrix. An apparatus and logic are also disclosed herein.

公开(公告)号：US11443230B2

公开(公告)日：2022-09-13

申请号：US16135756

申请日：2018-09-19

Applicant: Cisco Technology, Inc.

Inventor： Nancy Cam-Winget ,  Subharthi Paul ,  Blake Anderson ,  Saman Taghavi Zargar ,  Oleg Bessonov ,  Robert Frederick Albach ,  Sanjay Kumar Agarwal ,  Mark Steven Knellinger

IPC: G06N20/00 ,  H04L9/40 ,  G06N5/04 ,  G06N20/20 ,  G06K9/62 ,  G06N7/00 ,  G06N20/10 ,  H04L67/12 ,  H04L67/00

Abstract: A trained model may be deployed to an Internet-of-Things (IOT) operational environment in order to ingest features and detect events extracted from network traffic. The model may be received and converted into a meta-language representation which is interpretable by a data plane engine. The converted model can then be deployed to the data plane and may extract features from network communications over the data plane. The extracted features may be fed to the deployed model in order to generate event classifications or device state classifications.

公开(公告)号：US11108810B2

公开(公告)日：2021-08-31

申请号：US16869726

申请日：2020-05-08

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul ,  Ivan Nikolaev ,  Martin Grill

IPC: H04L29/06 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

公开(公告)号：US20210218771A1

公开(公告)日：2021-07-15

申请号：US16741794

申请日：2020-01-14

Applicant: Cisco Technology, Inc.

Inventor： Michel Khouderchah ,  Jayaraman Iyer ,  Kent K. Leung ,  Jianxin Wang ,  Donovan O'Hara ,  Saman Taghavi Zargar ,  Subharthi Paul

IPC: H04L29/06 ,  H04L12/24 ,  H04L29/08

Abstract: Presented herein are methodologies for implementing application security. A method includes generating an extraction vector based on a plurality of application security rules to be enforced, transmitting the extraction vector to a first agent operating on a first network device and to a second agent operating on a second network device; receiving, separately, from the first agent and from the second agent, first metadata generated by the first agent and second metadata generated by the second agent by the agents applying the extraction vector to network traffic passing, respectively, through the first network device and the second network device. The first metadata includes a transaction ID assigned by the first agent, and the second metadata includes the same transaction ID. The method further includes correlating the first metadata with the second metadata based on the transaction ID to construct a transactional service graph for the network traffic.

公开(公告)号：US20240348645A1

公开(公告)日：2024-10-17

申请号：US18417256

申请日：2024-01-19

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul ,  Ivan Nikolaev ,  Martin Grill

IPC: H04L9/40 ,  G06N20/00

CPC classification number: H04L63/145 ,  H04L63/0428 ,  H04L63/1408 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

公开(公告)号：US20200267164A1

公开(公告)日：2020-08-20

申请号：US16869726

申请日：2020-05-08

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul ,  Ivan Nikolaev ,  Martin Grill

IPC: H04L29/06

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

公开(公告)号：US20200244648A1

公开(公告)日：2020-07-30

申请号：US16851674

申请日：2020-04-17

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Subharthi Paul ,  William Michael Hudson, JR. ,  Philip Ryan Perricone

IPC: H04L29/06 ,  G06F21/55 ,  H04L29/08 ,  H04L9/32

Abstract: In one embodiment, a device in a network observes traffic between a client and a server for an encrypted session. The device makes a determination that a server certificate should be obtained from the server. The device, based on the determination, sends a handshake probe to the server. The device extracts server certificate information from a handshake response from the server that the server sent in response to the handshake probe. The device uses the extracted server certificate information to analyze the traffic between the client and the server.

公开(公告)号：US10686831B2

公开(公告)日：2020-06-16

申请号：US15353160

申请日：2016-11-16

Applicant: Cisco Technology, Inc.

Inventor： Blake Harrell Anderson ,  David McGrew ,  Subharthi Paul ,  Ivan Nikolaev ,  Martin Grill

IPC: H04L29/06 ,  H04L9/32 ,  G06N99/00 ,  G06N20/00

Abstract: In one embodiment, a device in a network receives certificate data for an encrypted traffic flow associated with a client node in the network. The device determines one or more data features from the certificate data. The device determines one or more flow characteristics of the encrypted traffic flow. The device performs a classification of an application executed by the client node and associated with the encrypted traffic flow by using a machine learning-based classifier to assess the one or more data features from the certificate data and the one or more flow characteristics of the traffic flow. The device causes performance of a network action based on a result of the classification of the application.

公开(公告)号：US10666640B2

公开(公告)日：2020-05-26

申请号：US15848645

申请日：2017-12-20

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Blake Harrell Anderson ,  Subharthi Paul ,  William Michael Hudson, Jr. ,  Philip Ryan Perricone

IPC: H04L29/06 ,  G06F21/55 ,  H04L29/08 ,  H04L9/32

Abstract: In one embodiment, a device in a network observes traffic between a client and a server for an encrypted session. The device makes a determination that a server certificate should be obtained from the server. The device, based on the determination, sends a handshake probe to the server. The device extracts server certificate information from a handshake response from the server that the server sent in response to the handshake probe. The device uses the extracted server certificate information to analyze the traffic between the client and the server.

公开(公告)号：US10659484B2

公开(公告)日：2020-05-19

申请号：US15898915

申请日：2018-02-19

Applicant: Cisco Technology, Inc.

Inventor： Saman Taghavi Zargar ,  Subharthi Paul ,  Prashanth Patil ,  Jayaraman Iyer ,  Hari Shankar

IPC: H04L29/06 ,  H04L12/24 ,  G06N20/00

Abstract: In one embodiment, a centralized controller maintains a plurality of hierarchical behavioral modules of a behavioral model, and distributes initial behavioral modules to data plane entities to cause them to apply the initial behavioral modules to data plane traffic. The centralized controller may then receive data from a particular data plane entity based on its having applied the initial behavioral modules to its data plane traffic. The centralized controller then distributes subsequent behavioral modules to the particular data plane entity to cause it to apply the subsequent behavioral modules to the data plane traffic, the subsequent behavioral modules selected based on the previously received data from the particular data plane entity. The centralized controller may then iteratively receive data from the particular data plane entity and distribute subsequently selected behavioral modules until an attack determination is made on the data plane traffic of the particular data plane entity.