公开(公告)号：US09699202B2

公开(公告)日：2017-07-04

申请号：US14717127

申请日：2015-05-20

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Titouan Rigoudy

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  H04L63/1425 ,  H04L63/1483

Abstract: In an embodiment, a central computer performs a data processing method. The central computer receives telemetry data from intrusion sensors. The central computer stores authentication records in a hosts database. Each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer. The central computer receives a suspect record that was sent by a first intrusion sensor. The suspect record has a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender. From the hosts database, the central computer searches for a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record. The central computer generates an intrusion alert when no matching record is found.

公开(公告)号：US10193907B2

公开(公告)日：2019-01-29

申请号：US15616514

申请日：2017-06-07

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Titouan Rigoudy

IPC: G06F21/55 ,  H04L29/06

Abstract: In an embodiment, a central computer performs a data processing method. The central computer receives telemetry data from intrusion sensors. The central computer stores authentication records in a hosts database. Each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer. The central computer receives a suspect record that was sent by a first intrusion sensor. The suspect record has a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender. From the hosts database, the central computer searches for a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record. The central computer generates an intrusion alert when no matching record is found.