公开(公告)号：US10904271B2

公开(公告)日：2021-01-26

申请号：US15789022

申请日：2017-10-20

Applicant: Cisco Technology, Inc.

Inventor： Jan Jusko ,  Jan Stiborek ,  Tomas Pevny

IPC: H04L29/06

Abstract: In one embodiment, a device analyzes network traffic data using a clustering process, to identify a cluster of addresses associated with the network traffic data for which the associated network traffic has similar behavioral characteristics. The device calculates a set of rankings for the cluster by comparing the cluster to different sets of malicious addresses. The device aggregates the set of rankings into a final ranking by setting the rankings in the set as current rankings and iteratively calculating an average of any subset of the current rankings that comprises correlated rankings. The calculated average replaces the rankings in the subset as a current ranking. When none of the current rankings are correlated, the device performs an aggregation across all of the current rankings to form the final ranking. The device provides data indicative of the cluster for review by a supervisor, based on the final ranking.

公开(公告)号：US20190124094A1

公开(公告)日：2019-04-25

申请号：US15789022

申请日：2017-10-20

Applicant: Cisco Technology, Inc.

Inventor： Jan Jusko ,  Jan Stiborek ,  Tomas Pevny

IPC: H04L29/06

Abstract: In one embodiment, a device analyzes network traffic data using a clustering process, to identify a cluster of addresses associated with the network traffic data for which the associated network traffic has similar behavioral characteristics. The device calculates a set of rankings for the cluster by comparing the cluster to different sets of malicious addresses. The device aggregates the set of rankings into a final ranking by setting the rankings in the set as current rankings and iteratively calculating an average of any subset of the current rankings that comprises correlated rankings. The calculated average replaces the rankings in the subset as a current ranking. When none of the current rankings are correlated, the device performs an aggregation across all of the current rankings to form the final ranking. The device provides data indicative of the cluster for review by a supervisor, based on the final ranking.

公开(公告)号：US10015192B1

公开(公告)日：2018-07-03

申请号：US14934398

申请日：2015-11-06

Applicant: CISCO TECHNOLOGY, INC.

Inventor： Jan Stiborek ,  Martin Rehak

IPC: H04L29/06 ,  G06F17/30

CPC classification number: H04L63/145 ,  H04L63/1416

Abstract: In one embodiment, a method includes creating a set of network related indicators of compromise at a computing device, the set associated with a malicious network operation, identifying at the computing device, samples comprising at least one of the indicators of compromise in the set, creating sub-clusters of the samples at the computing device, and selecting at the computing device, one of the samples from the sub-clusters for additional analysis, wherein results of the analysis provide information for use in malware detection. An apparatus and logic are also disclosed herein.