公开(公告)号：US20210152526A1

公开(公告)日：2021-05-20

申请号：US16686364

申请日：2019-11-18

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Martin Kopp ,  Jan Brabec ,  Lukas Bajer

IPC: H04L29/06 ,  H04L12/26

Abstract: In one embodiment, a traffic analysis service obtains telemetry data regarding encrypted traffic associated with a particular device in the network, wherein the telemetry data comprises Transport Layer Security (TLS) features of the traffic. The service determines, based on the TLS features from the obtained telemetry data, a set of one or more TLS fingerprints for the traffic associated with the particular device. The service calculates a measure of similarity between the set of one or more TLS fingerprints for the traffic associated with the particular device and a set of one or more TLS fingerprints of traffic associated with a second device. The service determines, based on the measure of similarity, that the particular device and the second device were operated by the same user.

公开(公告)号：US12160429B2

公开(公告)日：2024-12-03

申请号：US18225517

申请日：2023-07-24

Applicant: Cisco Technology, Inc.

Inventor： Petr Somol ,  Martin Kopp ,  Jan Kohout ,  Jan Brabec ,  Marc René Jacques Marie Dupont ,  Cenek Skarda ,  Lukas Bajer ,  Danila Khikhlukha

IPC: H04L9/40 ,  G06N3/045 ,  G06N3/08

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

公开(公告)号：US11245675B2

公开(公告)日：2022-02-08

申请号：US16686364

申请日：2019-11-18

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Martin Kopp ,  Jan Brabec ,  Lukas Bajer

IPC: H04L29/06 ,  H04L12/26

Abstract: In one embodiment, a traffic analysis service obtains telemetry data regarding encrypted traffic associated with a particular device in the network, wherein the telemetry data comprises Transport Layer Security (TLS) features of the traffic. The service determines, based on the TLS features from the obtained telemetry data, a set of one or more TLS fingerprints for the traffic associated with the particular device. The service calculates a measure of similarity between the set of one or more TLS fingerprints for the traffic associated with the particular device and a set of one or more TLS fingerprints of traffic associated with a second device. The service determines, based on the measure of similarity, that the particular device and the second device were operated by the same user.

公开(公告)号：US20230281300A1

公开(公告)日：2023-09-07

申请号：US17847829

申请日：2022-06-23

Applicant: Cisco Technology, Inc.

Inventor： Pavel Prochazka ,  Stepan Dvorak ,  Lukas Bajer ,  Martin Kopp ,  Kyrylo Shcherbin

IPC: G06F21/55

CPC classification number: G06F21/55 ,  G06F2221/034

Abstract: Techniques for identifying malicious actors across datasets of different origin. The techniques may include receiving input data indicative of network interactions between entities and modalities. Based at least in part on the input data, a maliciousness score associated with a first entity may be determined. In some instances, a value of the maliciousness score may be partially based on a number of the modalities that are interacting with the first entity and also interacting with one or more malicious entities. The techniques may further include determining whether the value of the maliciousness score exceeds a threshold value and, based at least in part on the value of the maliciousness score exceeding the threshold value, a request may be made to identify the first entity as a new malicious entity.

公开(公告)号：US20200244672A1

公开(公告)日：2020-07-30

申请号：US16261682

申请日：2019-01-30

Applicant: Cisco Technology, Inc.

Inventor： Martin Grill ,  Lukas Bajer ,  Martin Kopp ,  Jan Kohout

IPC: H04L29/06

Abstract: In one embodiment, a device in a network obtains log data regarding replication of files stored on an endpoint client to a file replication service. The device tracks, based on the obtained logs, encryption changes to the files that convert the files from unencrypted files to encrypted files. The device determines that the tracked encryption changes to the files are indicative of a ransomware infection on the endpoint client. The device initiates a mitigation action regarding the ransomware infection.

公开(公告)号：US20200120004A1

公开(公告)日：2020-04-16

申请号：US16156020

申请日：2018-10-10

Applicant: Cisco Technology, Inc.

Inventor： Jan Kohout ,  Martin Grill ,  Martin Kopp ,  Lukas Bajer

IPC: H04L12/26 ,  H04L12/851

Abstract: In one embodiment, a traffic analysis service obtains telemetry data regarding network traffic associated with a device in a network. The traffic analysis service forms a histogram of frequencies of the traffic features from the telemetry data for the device. The traffic features are indicative of endpoints with which the device communicated. The traffic analysis service associates a device type with the device, by comparing the histogram of the traffic features from the telemetry data to histograms of traffic features associated with other devices. The traffic analysis service initiates, based on the device type associated with the device, an adjustment to treatment of the traffic associated with the device by the network.

公开(公告)号：US20240106836A1

公开(公告)日：2024-03-28

申请号：US18225517

申请日：2023-07-24

Applicant: Cisco Technology, Inc.

Inventor： Petr Somol ,  Martin Kopp ,  Jan Kohout ,  Jan Brabec ,  Marc René Jacques Marie Dupont ,  Cenek Skarda ,  Lukas Bajer ,  Danila Khikhlukha

IPC: H04L9/40 ,  G06N3/045 ,  G06N3/08

CPC classification number: H04L63/14 ,  G06N3/045 ,  G06N3/08

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

公开(公告)号：US11750621B2

公开(公告)日：2023-09-05

申请号：US16831197

申请日：2020-03-26

Applicant: Cisco Technology, Inc.

Inventor： Petr Somol ,  Martin Kopp ,  Jan Kohout ,  Jan Brabec ,  Marc René Jacques Marie Dupont ,  Cenek Skarda ,  Lukas Bajer ,  Danila Khikhlukha

IPC: H04L9/40 ,  G06N3/08 ,  G06N3/045

CPC classification number: H04L63/14 ,  G06N3/045 ,  G06N3/08

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

公开(公告)号：US20210306350A1

公开(公告)日：2021-09-30

申请号：US16831197

申请日：2020-03-26

Applicant: Cisco Technology, Inc.

Inventor： Petr Somol ,  Martin Kopp ,  Jan Kohout ,  Jan Brabec ,  Marc René Jacques Marie Dupont ,  Cenek Skarda ,  Lukas Bajer ,  Danila Khikhlukha

IPC: H04L29/06 ,  G06N3/08 ,  G06N3/04

Abstract: In one embodiment, a device obtains input features for a neural network-based model. The device pre-defines a set of neurons of the model to represent known behaviors associated with the input features. The device constrains weights for a plurality of outputs of the model. The device trains the neural network-based model using the constrained weights for the plurality of outputs of the model and by excluding the pre-defined set of neurons from updates during the training.

公开(公告)号：US20240356957A1

公开(公告)日：2024-10-24

申请号：US18373765

申请日：2023-09-27

Applicant: Cisco Technology, Inc.

Inventor： Lukas Bajer ,  Pavel Prochazka ,  Michal Mares

IPC: H04L9/40

CPC classification number: H04L63/1433 ,  H04L63/1425

Abstract: Techniques for identifying malicious threats for investigation using network telemetry data. The techniques include receiving network telemetry data regarding a computer network and also receiving information regarding one or more known malicious nodes which are designated as seeds. A Risk Map Graph (RMG) is constructing using the one or more seeds and the relationship data. The RMG is used to assign risk scores to the network nodes. Data regarding the most at-risk nodes is sent to a security service for investigation. Data is received from the security service as to which of the selected nodes is malicious. These malicious nodes are designated as new seeds, and another RMG is constructed with these new seed nodes. This process can be continuously iterated until either the security budget has been reached or all relevant nodes have been investigated.