公开(公告)号：US11700275B2

公开(公告)日：2023-07-11

申请号：US17360910

申请日：2021-06-28

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Andrew Zawadowskiy ,  Donovan O'Hara ,  Saravanan Radhakrishnan ,  Tomas Pevny ,  Daniel G. Wing

IPC: H04L9/40 ,  H04L69/16

CPC classification number: H04L63/145 ,  H04L63/1408 ,  H04L63/166 ,  H04L69/16 ,  H04L2463/121

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.

公开(公告)号：US10785247B2

公开(公告)日：2020-09-22

申请号：US15413921

申请日：2017-01-24

Applicant: Cisco Technology, Inc.

Inventor： Ivan Nikolaev ,  Tomas Pevny

IPC: H04L29/06 ,  H04L12/26 ,  H04L29/08 ,  G06N20/00 ,  H04L12/24

Abstract: In one embodiment, a device in a network identifies an set of services of a domain accessed by a plurality of users in the network. The device generates a service usage model for the domain based on the set of services accessed by the plurality of users. The service usage model models usage of the services of the domain by the plurality of users. The device trains a machine learning-based classifier to analyze traffic in the network using a set of training feature vectors. A particular training feature vector includes data indicative of service usage by one of the users for the domain and the modeled usage of the services of the domain by the plurality of users. The device causes classification of traffic in the network associated with a particular user by the trained machine learning-based classifier.

公开(公告)号：US10218718B2

公开(公告)日：2019-02-26

申请号：US15244486

申请日：2016-08-23

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Tomas Pevny

IPC: G06F21/55 ,  H04L29/06

Abstract: Rapidly detecting network threats with targeted detectors includes, at a computing device having connectivity to a network, determining features of background network traffic. Features are also extracted from a particular type of network threat. A characteristic of the particular type of network threat that best differentiates the features of the particular type of network threat from the features of the background network traffic is determined. A targeted detector for the particular type of network threat is created based on the characteristic and an action is applied to particular incoming network traffic identified by the targeted detector as being associated with the particular type of network threat.

公开(公告)号：US20190014134A1

公开(公告)日：2019-01-10

申请号：US15643573

申请日：2017-07-07

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Petr Somol ,  Tomas Pevny ,  David McGrew

IPC: H04L29/06 ,  G06N99/00 ,  G06F3/01

Abstract: In one embodiment, a device in a network maintains a plurality of machine learning-based detectors for an intrusion detection system. Each detector is associated with a different portion of a feature space of traffic characteristics assessed by the intrusion detection system. The device provides data regarding the plurality of detectors to a user interface. The device receives an adjustment instruction from the user interface based on the data provided to the user interface regarding the plurality of detectors. The device adjusts the portions of the feature space associated with the plurality of detectors based on the adjustment instruction received from the user interface.

公开(公告)号：US10904271B2

公开(公告)日：2021-01-26

申请号：US15789022

申请日：2017-10-20

Applicant: Cisco Technology, Inc.

Inventor： Jan Jusko ,  Jan Stiborek ,  Tomas Pevny

IPC: H04L29/06

Abstract: In one embodiment, a device analyzes network traffic data using a clustering process, to identify a cluster of addresses associated with the network traffic data for which the associated network traffic has similar behavioral characteristics. The device calculates a set of rankings for the cluster by comparing the cluster to different sets of malicious addresses. The device aggregates the set of rankings into a final ranking by setting the rankings in the set as current rankings and iteratively calculating an average of any subset of the current rankings that comprises correlated rankings. The calculated average replaces the rankings in the subset as a current ranking. When none of the current rankings are correlated, the device performs an aggregation across all of the current rankings to form the final ranking. The device provides data indicative of the cluster for review by a supervisor, based on the final ranking.

公开(公告)号：US10305928B2

公开(公告)日：2019-05-28

申请号：US14820265

申请日：2015-08-06

Applicant: Cisco Technology, Inc.

Inventor： David McGrew ,  Andrew Zawadowskiy ,  Donovan O'Hara ,  Saravanan Radhakrishnan ,  Tomas Pevny ,  Daniel G. Wing

IPC: H04L29/06

Abstract: A method comprises receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis.

公开(公告)号：US10230747B2

公开(公告)日：2019-03-12

申请号：US14879425

申请日：2015-10-09

Applicant: Cisco Technology, Inc.

Inventor： Martin Kopp ,  Tomas Pevny

IPC: H04L29/06 ,  G06F17/30 ,  G06N5/04 ,  G06N99/00

Abstract: In an embodiment, the method comprises receiving an identification of an anomaly associated with a false positive identification of a security threat by the intrusion detection system, wherein a first set of feature data identifies features of the anomaly; creating a plurality of training sets each comprising identifications of a plurality of samples of network communications; for the anomaly and each training set of the plurality of training sets, training a decision tree that is stored in digital memory of the security analysis computer; based at least in part on the plurality of trained decision trees, extracting a set of features that distinguish the anomaly from the plurality of samples; generating one or more rules associated with the anomaly from the extracted set of features and causing programming the security analysis computer with the one or more rules.

公开(公告)号：US09374383B2

公开(公告)日：2016-06-21

申请号：US14519160

申请日：2014-10-21

Applicant: Cisco Technology, Inc.

Inventor： Gustav Sourek ,  Karel Bartos ,  Filip Zelezny ,  Tomas Pevny ,  Petr Somol

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L63/1416 ,  H04L67/10

Abstract: In one embodiment, a system includes a processor to receive network flows, for each of one of a plurality of event-types, compare each one of the network flows to a flow-specific criteria of the one event-type to determine if the one network flow satisfies the flow-specific criteria, for each one of the event-types, for each one of the network flows satisfying the flow-specific criteria of the one event-type, assign the one network flow to a proto-event of the one-event type, test different combinations of the network flows assigned to the proto-event of the one event-type against aggregation criteria of the one event-type to determine if one combination of the network flows assigned to the proto-event of the one event-type satisfies the aggregation criteria for the one event-type and identifies an event of the one event-type from among the network flows of the proto-event. Related apparatus and methods are also described.

Abstract translation: 在一个实施例中，系统包括处理器，用于为多个事件类型中的一个事件类型中的每一个接收网络流，将每个网络流中的每一个与一个事件类型的流特定标准进行比较，以确定一个 网络流满足针对每个事件类型的流特定标准，对于满足一个事件类型的流特定标准的每个网络流，将一个网络流分配给一个事件类型的原始事件 一事件类型，测试分配给一个事件类型的原始事件的网络流的不同组合，以反映一种事件类型的聚合标准，以确定分配给原始事件的网络流的一个组合是否为 一个事件类型满足一个事件类型的聚合标准，并从原始事件的网络流中识别一个事件类型的事件。 还描述了相关装置和方法。

公开(公告)号：US09344441B2

公开(公告)日：2016-05-17

申请号：US14485731

申请日：2014-09-14

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Jan Jusko ,  Tomas Pevny ,  Martin Rehak

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L63/1408 ,  H04L63/1441 ,  H04L63/145 ,  H04L63/1466 ,  H04L63/1491 ,  H04L63/164 ,  H04L63/20

Abstract: In one embodiment a method, system and apparatus is described for detecting a malicious network connection, the method system and apparatus including determining, for each connection over a network, if each connection is a persistent connection, if, as a result of the determining, a first connection is determined to be a persistent connection, collecting connection statistics for the first connection, creating a feature vector for the first connection based on the collected statistics, performing outlier detection for all of the feature vector for all connections over a network which have been determined to be persistent connections, and reporting detected outliers. Related methods, systems and apparatus are also described.

Abstract translation: 在一个实施例中，描述了一种用于检测恶意网络连接的方法，系统和装置，所述方法系统和装置包括针对网络上的每个连接确定每个连接是否是持久连接，如果作为确定的结果， 确定第一连接是持久连接，收集第一连接的连接统计信息，基于所收集的统计信息创建用于第一连接的特征向量，对具有网络的所有连接的所有连接的所有特征向量进行异常检测 被确定为持续连接，并报告检测到异常值。 还描述了相关方法，系统和装置。

公开(公告)号：US11451578B2

公开(公告)日：2022-09-20

申请号：US17029156

申请日：2020-09-23

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Blake Harrell Anderson ,  Martin Grill ,  David McGrew ,  Martin Kopp ,  Tomas Pevny

IPC: H04L9/40 ,  G06N20/00 ,  H04L41/0686 ,  H04L47/2441 ,  G06N20/20

Abstract: In one embodiment, a device in a network detects an encrypted traffic flow associated with a client in the network. The device captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client. The device performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier. The device generates an alert based on the classification of the encrypted traffic flow.